We see a lot of DNS amplification attacks, so we’re rarely impressed by them.
Today was different.
At 23:34 UTC May 22nd, we observed a new DDoS attack using DNS. Normally, amplification attacks use only the domain hoffmeister.be, but this time the attackers decided to use hoffmeister.br as well. Doesn’t look like much of a difference, but it is different; Hoffmeister.br is a domain that can never be registered according to .br. ccTLD policy.
Beside the usage of an unusual domain, this attack also had an unusual strength.
The chart below describes the beginning of the attack, where a clear spike of query type ‘ANY’ started around 23:30 UTC time, May 22nd:
The Y-axes represents the percentage of all queries that we observe; 0.07 means that at the peak, close to 7% of our sample of the queries worldwide were made to this non-existing domain.
The chart below compares the volume of queries between the .br and .be domains during the first 3 hours of the attack, based on the sample of the data from the most affected telecom (we observed this attack in multiple ISPs around the world):
Using the .br domain for an amplification attack might actually be an error in the attacker’s code, as .br and .be look very close to a typo; however, this may help us forecast a future threat: using a rather simple change, an attacker could potentially start a 73x larger amplification attack compared to attacks we see today.
We quickly classified hoffmeister.br as a purpose-built amp domain, so that even NXD response would be dropped, instead of blocking. This guarantees that if a Reflection is used, NXD is not directed at the target.
It is interesting to know that .br is DNSSEC-enabled TLD, and NXD response with a DNSSEC-enabled query returns a relatively large response, making this attack more potent.
We continue to monitor the situation and will update this blog entry as we process more information.