DNS放大攻击.docVIP

DNS Amplification Attack Posted on March 28th, 2006 in Admin, HowTo, Network, Security, Technology Recently a new type of DNS attack have been discovered. Attackers are exploiting the recursive name servers to amplify the DDoS attacks by utilizing IP spoofing. If you want to know the very details of how this attack works then you must read DNS Amplification Attacks (pdf) by Randal Vaughn and Gadi Evron where they analyze 3 real attacks. Also this Cnet news article have some details about the attack. At the heart of this attack is the recursive function of DNS servers. This is a very serious threat because The Measurement Factory in recent survey found that: “There are an estimated 7.5 million external DNS servers on the public Internet. Over 75% of domain name servers (of roughly 1.3 million sampled) allow recursive name service to arbitrary queriers. This opens a name server to both cache poisoning and attacks. Here I’ve drawn the diagrams to explain what is Recursive DNS Query and how DNS Amplification Attacks work. Normal DNS query (Recursive) Step 1: The User’s PC with ip address My IP Address makes a DNS query to the Primary DNS Server configured in it’s TCP/IP properties, asking to resolve the ip address for . Step 2 to Step 7 (Recursive Query): User’s Primary DNS Server is not authoritative for the domain . So, it asks the Root Servers which then points it to .com Namespace from where it learns about the Primary DNS Server of , which replies with the IP Address of . Step 8: The IP Address of is cached in the User’s Primary DNS Server and it replies to the User’s PC with the IP Address for . Step 1: The attacker sends a signal to the compromised PCs to start DNS queries. Step 2: All compromised PCs with spoofed ip address Victim IP Address make a DNS query to the Primary DNS Servers configured in their TCP/IP properties, asking to resolve the ip address for . Step 3 to Step 8 (Recursive Query): User’s Primary DNS Servers are not authoritative for the domain