Enterprises Shall Pay More Attention on DNS Reflection Attacks Than DDoS Attacks

This article looks at the threat of DDoS attacks and the increasing use of DNS reflection attacks in the future.

The threat posed by DDoS attacks is ever-growing. This topic continues to be of interest and concern to the industry as a whole, and here I would like to share my predictions about why I think DNS Reflection attacks (and other amplification attacks) will play a more dominant part of DDoS attacks in the future.

The major drive of these types of DNS attacks is the decreasing number of bots available for rent. One explanation is that the authorities have been more effective in closing down major botnets. With the decreasing number of bots now available, hactivists and other cyber criminals are now finding new ways in which to amplify their attacks.

So how does a DNS reflection attack work? It’s actually quite simple, and is based around amplifying the data you generate by reflecting it via an open DNS resolver. Imagine that you send a DNS query with a packet size of 40 bytes to a DNS server and get back 2500 bytes in the DNS response. That sounds like a pretty good deal, right? Now, what if you spoofed the source IP to reflect the attack against your target/victim via the open DNS resolver? You can see where this is leading… The DNS resolver will generate a huge amount of data and send it to the spoofed IP address.

Because DNS is using a stateless protocol called UDP there is really no source address verification. This means you can easily spoof the address and achieve the result of an amplified packet size in the attack.

DNS reflection attacks will be a preferred tool for three simple reasons:

  1. In the list of top ten AS numbers with most open DNS resolvers you find around ~20 000 open DNS resolvers*
  2. You can amplify an attack with a factor of 250 and it requires little bandwidth from the cyber criminals. The more bots you are in control of, the bigger effect it can have
  3. As the attack is reflected, very often the open DNS resolver has little logging turned on so the cyber criminals can easily hide behind them

Over the last two years, we have seen an increasing number of attacks using this technique and it has been very effective for cyber criminals. A few attacks have recorded speeds of up to 35 Gbps - more than enough to take out an average company’s internet connection.

One thing to remember, however, is that very often the DDoS attack is just a smoke screen for a more sophisticated attack that can potentially cost the company even more money. The problem here is to find the needle in the haystack. How do enterprise’s security products cope with the influx of traffic during a DDoS attack? More importantly, can they find things like SQL injection attacks in the storm of traffic?

So how can enterprise protect their business in the light of such threats? The approach is very often layered, which means that enterprises need a combined defense for network layer DDoS attacks (L2-L4) with DDoS attacks on application layer (L5-L7). The combination of on-premise equipment for detecting network based DDoS attacks and attacks on the application level allows enterprise to close the window for cyber criminals and more efficiently stop any attack on a network and application layer.

The risk of being “DDoS attacked” has never been greater. DDoS attacks have become the de-facto standard for online protests and it will continue to be used by hacktivists to make themselves heard, whether for political, ideological, financial or religious reasons.


* HostExploit’s – World hosts report Q3 2012


Linda Hui, managing director, HK and Taiwan at F5 Networks