Attackers launch multi-vector DDoS attacks that use DNSSEC amplification

19.07.2016
DDoS attacks are becoming increasingly sophisticated, combining multiple attack techniques that require different mitigation strategies, and abusing new protocols.

Incident responders from Akamai recently helped mitigate a DDoS attack against an unnamed European media organization that peaked at 363G bps (bits per second) and 57 million packets per second.

While the size itself was impressive and way above what a single organization could fight off on its own, the attack also stood out because it combined six different techniques, or vectors: DNS reflection, SYN flood, UDP fragment, PUSH flood, TCP flood, and UDP flood.

Almost 60 percent of all DDoS attacks observed during the first quarter of this year were multi-vector attacks, Akamai said in a report released last month. The majority of them used two vectors, and only 2 percent used five or more techniques.

The DNS (Domain Name System) reflection technique used in this large attack was also interesting, because attackers abused DNSSEC-enabled domains in order to generate larger responses.

DNS reflection involves abusing misconfigured DNS resolvers that respond to spoofed requests. Attackers can send DNS queries to these servers on the Internet by specifying the target's Internet Protocol (IP) address as the request's source address. This causes the server to direct its response to the victim instead of the real source of the DNS query.

This reflection is valuable for attackers because it hides the real source of the malicious traffic and because it can have an amplification effect: the responses sent to the victim by DNS servers are larger in size than the queries that triggered them, allowing attackers to generate more traffic than they could otherwise.

The use of queries for domain names configured for Domain Name System Security Extension (DNSSEC) only adds to the amplification factor, as DNSSEC responses are even larger than regular ones. That's because they have additional data used for the cryptographic verification.

DNSSEC allows clients to authenticate the source of DNS data as well as the data's integrity, ensuring that DNS responses haven't been altered en route and were provided by the authoritative servers for the queried domain names.

"During the past few quarters, Akamai has observed and mitigated many DNS reflection and amplification DDoS attacks that abuse DNSSEC-configured domains," the Akamai researchers said in an advisory released Tuesday.

The company has observed the same DNSSEC-configured domain name being abused in DDoS amplification attacks against targets in different industries.

A separate Akamai advisory released Tuesday describes several DDoS campaigns this year against the network of the Massachusetts Institute of Technology. One of those attacks occurred in April and used DNS reflection by triggering responses for cpsc.gov and isc.org, two DNSSEC-enabled domain names.

"The domain owners themselves are not at fault and don't feel the effects of these attacks," the Akamai researchers said. "Attackers abuse open resolvers by sending a barrage of spoofed DNS queries where the IP source is set to be the MIT target IP. Most of these servers will cache the initial response so multiple queries are not made to the authoritative name servers."

Unfortunately, DNS is not the only protocol that can be used for DDoS amplification. The NTP, CHARGEN and SSDP protocols are also commonly used in such attacks and, unfortunately, as long as misconfigured servers and devices are available on the Internet, this technique will continue to be favored by attackers.

Lucian Constantin

Zur Startseite