Over the past few weeks we’ve been helping customers who’ve been experiencing unusual spikes in traffic on their resolvers. Data obtained using Vantio Real Time Visibility and querystore commands revealed a substantial increase in the number of ANY queries, in some cases hundreds of millions. Additional data showed the names being queried turned very small DNS questions into very large DNS answers. Both indicate a recent type of DDoS attack that leverages the DNS to amplify traffic and flood a target with it.
Further analysis revealed some of these attacks took advantage of home gateways that answer DNS queries on their WAN interface. The DNS proxy running in the gateway responds to queries coming in over the providers network (in addition to responding to queries coming from the home network). Attackers can use these home gateways to launch amplification attacks by sending DNS queries to them, which are then forwarded to the providers resolvers, back to the home gateway, and out to the target as shown below.
This created a challenging situation. ACLs on the servers did not filter the queries since they were forwarded from home gateways and thus came from the providers address ranges. Filtering incoming DNS queries at the network border was not practical because there was considerable legitimate DNS traffic entering the network; either destined for the providers own DNS servers, or for subscribers who run DNS servers. Upgrading home gateways was also not possible because they were out of the providers control.
Remediating attacks at the resolver became the only viable solution and it was accomplished using advanced policies to target attack traffic and leave legitimate DNS traffic untouched. This immediately removed considerable stress from the resolvers (and operations teams).
Attacks that rely on the DNS for amplification appear to be on the rise. It’s worth taking a minute to review, and if necessary implement, best practices to protect DNS infrastructure. DNS amplification attacks rely on two things to succeed:
- IP address spoofing which allows an attacker to direct DNS traffic to a target of their choosing and also makes it difficult to trace the source of an attack.
- DNS resolvers that accept incoming DNS queries from any host. These “open” resolvers do not have Access Control Lists to filter IP addresses and limit access to clients that are authorized to access the server; instead they answer queries from any host.
The current situation aside a long standing network “best practice” (IETF BCP 38) calls for filtering of ingress traffic to verify that IP source addresses are not being spoofed. Specific approaches for doing this such as source address validation/unicast RPF check are widely available, virtually every network equipment vendor supports them. Ingress filtering protects networks from many other threats beyond DNS DDoS traffic, it’s a simple and wise investment.
Unless there is a compelling business reason to run an open resolver, it’s simple and strongly recommended to configure ACLs to limit incoming queries to IP address ranges on a provider network. This feature is available on all DNS servers and shouldn’t be overlooked. Although in the case described above ACLs did not help they will deter other kinds of attacks.
Providers that prevent address spoofing on their networks and refuse DNS queries from IP addresses outside their IP ranges still help protect the greater Internet as well as their own networks from not only amplification attacks but other kinds of DDoS.