Yet another DNS-related threat has reared its ugly head.
Prolexic, a global leader in distributed-denial-of-service (DDoS) protection services, issued a “Risk Factor—High” threat advisory on February 11 regarding DNS Flooder v1.1, an outlaw toolkit that makes it easier and faster to launch reflection attacks.
According to IT Business Net, this latest innovation from the dark side of IT can be purchased by hackers who will use it to set up their own DNS servers as launchpads for reflection attacks, eliminating the need to find open and vulnerable servers on the Internet. This means that can initiate larger attacks without wasting time building botnets.
According to the Prolexic threat advisory—which outlines a series of indicators and recommends mitigation techniques—DNS Flooder makes it possible to greatly amplify responses in a reflection attack.
If your network team has Infoblox Advanced DNS Protection (or if you don’t but you’d like to know more about it), the thing to know is this:
According to the threat advisory, DNS Flooder toolkit v1.1 gets its amplified response by sending “ANY” type DNS requests. Infoblox Advanced DNS Protection has a threat rule for “DNS Amplification and Reflection” that protects against this attack. The rule blocks such requests and protects your DNS server.
Our research team downloaded the tool kit just to be sure and here is what happens-
Here is the log output:
Tue Feb 11 14:30:23 2014 sid=130400100, gid=1, Engine id=3, Protocol=17, Action=ALERT (3), Repeat Cnt=0, src_ip=192.168.1.101, dst_ip=192.168.1.100, src_port=55360, dst_port=53
Tue Feb 11 14:30:23 2014 sid=130400100, gid=1, Engine id=3, Protocol=17, Action=DROP (4), Repeat Cnt=0, src_ip=192.168.1.101, dst_ip=192.168.1.100, src_port=55360, dst_port=53
Notice the switch to DROP from ALERT when it hit the threshold. This behavior ensures a couple of things- one is not be the victim of the attack and second is to make sure your infrastructure is not used to amplify attacks.
Infoblox Advanced DNS Protection product has built in security capabilities into the DNS server to mitigate any known as well as new types of attacks.