The beginning of the article you can read in Part I.
Types of attacks
These DNS attacks and DNS misuse have been identified with an open recursive servers:
- Cache Poisoning, Man-in-the-Middle
- DNS Amplification
- DNS Reflection
- Distributed reflection DoS (DrDoS)
- DNS-based exploits
- Protocol anomalies
- DNS tunneling
- DNS hijacking
- NXDOMAIN
- Phantom domain/Random subdomain
Some math
I assume that any broadband router can handle up to 1000 QPS (I checked it on my Linksys router) with amplification attack and much more without amplification. Each desktop or laptop can generate thousands of DNS queries per second.
For attackers it is not necessary to create a special DNS zone because a lot of zones are signed (DNSSEC) and attackers can chose any of them. For example:
- org (a consortium which produce bind) had 4k response;
- gov has 4992 bytes in response.
And the DNS request will be just about 70 bytes. For example for energystar.gov the amplification will be 4994/74=67.5 times.
Here some calculations of amplification attack using open resolvers and/or botnets:
- Just utilizing broadband routers, which I found in the network of my Internet provider, a bad guy can generate 56Gb/s (69 routers * 4992 bytes * 1000 QPS) traffic utilizing only 0,56Mb/s inbound traffic per router or 38,95Mb/s per network;
- Now almost every broadband internet user in Moscow has 10Mb/s an Internet connection, so:
- His computer can easily generate about 18k QPS to energystar.gov (10Mbps/74B) which can be sent to any DNS server;
- The DNS server will generate 685,5 Mb/s (18kQPS*4992b) outbound traffic;
- 15 infected computers and unprotected powerful DNS server can generate 10 Gb/s traffic, which can overload a network connection.
All these open DNS resolvers can be used for DNS based slow drip DDOS attack.
So you can see that DNS can be easily utilized for attacks and can be dangerous.
Description of the testing environment
My DNS server is located in Germany, has stable 1Gb/s Ethernet connection and for the last 4 years it served authoritative DNS. One month before the study I migrated my server to a new platform, so the IP-addresses were changed. In authoritative mode it received no more than 2 queries per second (QPS) and in average less than 0.5.
I used Infoblox Trinzic v820 as a DNS server, Infoblox Trinzic Reporting v800-1G for standard reports and my own reporting system (written by myself) for the deep data analysis. Domains, which were used for attacks, were blocked on a DNS Firewall. Maximum QPS rate was limited after 5 months.
Objectives
I defined several questions, which should be answered during the study:
- How fast will my DNS server receive the first recursive query?
- How fast will it receive inappropriate requests?
- Measure medium and maximum QPS under an attack
- Find victims
- Try to find infected networks
- Find out domains and requests which are used for attacks
- Try to identify types of the attacks
- How long will my server be used when I turn off my open resolver