In today’s post we describe a new amplification attack we’ve observed only a few days ago, and which we believe is a new phase in the evolution of DDoS attacks. Before getting into the details, let’s start with a quick recap of what amplification attacks really are.
DNS amplification is an attack vector where small DNS queries, usually of an ‘ANY’ query type, are sent to recursive DNS servers with the intent of generating very large responses. The responses are often targeted toward a victim using forged source IPs (the victim’s). The DNS responses can be upwards of 4k in size, which, when compounded thousands of times per second, result in huge traffic volumes, which can overwhelm (or bring down) the victim’s network.
On September 29th, early morning UTC time, we’ve observed huge waves of a new type of DNS amplification attack. several SERVFAIL spikes have been observed in multiple networks, at the same exact time (yes, our global visibility rocks):
The spike was caused by a `TXT` query type, which is quite unusual: around 03:50 UTC time, the number of `TXT` queries out of worldwide DNS traffic reached 23%, where the normal ratio of queries of this type is less than 2%:
A deeper dive into the details of this attack showed that a new purpose-built domain, mpaaweb[.]com, was used in this amplification attack. It was discovered & blocked by our security researcher @hula in the early morning of Sept 27th, 2 days before this massive attack erupted (the domain was also reported by a few twitter accounts and some online forums, for example, https://twitter.com/tobbe_interlan/status/912953202257088513 and https://serverfault.com/questions/874468/freebsd-ipfw-not-blocking-attack-traffic-as-expected)
Looking at a screenshot from the attack (below) reveals a couple of things:
- The attacker attempted to create an answer section with a message size of 4K (which is the desirable size in an amplification attack).
- The attacker has some knowledge of the Old Testament, as he uses verses from the Book of Jeremiah as the text for his messages… (and Jeremiah, by the way, tells the story of the fall of Jerusalem to the Babylonians, so this might not be random text):
Why is it a dangerous development: new query type, new attack volume
DNS amplification attacks usually exploit ANY type queries, which resolvers can block by applying truncation (Nominum’s ThreatAvert actually keeps a list of known amplification domains to block or rate-limit). A smarter attack finds alternative methods, which evade this truncation. Using `TXT` queries is one evasion method.
`TXT` queries can contain very rich information and create huge size answers, as seen in the screenshot above. We have observed similar attacks before, some of them using purpose-built domains such as mpaaweb[.]com; however, some attacks leverage high-ranked domains such as `github.com` when sending amplification TXT type queries (seen, for instance, on August 21st, 03:00 UTC), which makes the decision to block much more difficult (- since a lot of the traffic may be legitimate).
Here it was the first time we saw such new attack using `github.com` `TXT`. Although `github.com` TXT query answer is about 300, with a significant amount of attack queries, it can mount a significant amplification attack:
Even more dangerously, the number of amplification queries we have observed in this attack was in a different order of magnitude compared to previous amplification attacks. In an arbitrarily selected time window of 10 minutes during the duration of the attack, the #1 ranked domain in the world was mpaaweb[.]com with about 89 million queries (all of them .TXT type); for the record, the #2 ranked domain was google.com with 300k queries, and #3 was apple.com with 229k queries (mostly A type).
Our educated guess is that this attack was generated by an IoT botnet, which is probably the only way to reach this magnitude of queries in such a short time. The unfortunate conclusion is that we should be prepared for a new generation and new waves of IoT-induced DDoS attacks, and pretty soon.