Essential Guide

Endless variety: Dealing with advanced threats

A comprehensive collection of articles, videos and more, hand-picked by our editors
Q

How a DNS reflection attack differs from a standard DoS attack program

A DNS reflection attack is like a regular denial-of-service attack, but much worse. Nick Lewis explains why.

FROM THE ESSENTIAL GUIDE:

Endless variety: Dealing with advanced threats

+ Show More

What is a DNS reflection denial-of-service (DoS) attack? How is it different from a DoS attack, and how can we defend against one?

Ask the Expert!

SearchSecurity.com expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)

A DNS reflection DoS attack is an application-layer DoS attack that exploits vulnerabilities in DNS servers and insecurely configured networks. CloudFlare has a good blog post outlining the issue with DNS reflection DoS attacks. In a DNS reflection DoS attack, a client, like a desktop, makes a forged DNS request from the distributed DoS (DDoS) target's IP and the DNS server sends a DNS response to a spoofed IP. The DNS response is relatively large, resulting in a large amount of traffic sent to a targeted host and thereby creating a denial of service. DNS reflection attacks differ from DDoS attacks by botnets in that the DNS servers are not responsible for maintaining secure networks.

Reflection DDoS attacks, or the use of spoofed source addresses to exploit vulnerabilities in different network protocols as a part of DDoS attacks, will only grow, given the increasing sophistication of content distribution networks that are used to protect websites from DDoS attacks. Future attacks could target multicast or high-bandwidth User Datagram Protocol video protocols. Attackers may even attack customers of high-profile websites to disrupt business.

The Open Resolver project is an industry effort to track and encourage Internet infrastructure operators to secure their DNS servers, referencing instructions from Team Cymru on how to secure name servers. Organizations should also follow BCP38, which provides info on using ingress filtering to deal with DoS attacks that used forged IP addresses.

Restricting external access to open DNS resolvers could help reduce the impact of a DNS reflection DoS attack, along with throttling inbound and outbound DNS traffic at ISPs. Organizations can also monitor their DNS servers and network. Spikes in bandwidth, a high number of queries for a specified name or IP, or malformed DNS packets may indicate that the organization is participating in an attack. Organizations might also want to include DNS reflection DoS attacks in planning exercises and determine whether they are a high enough risk to justify an incident-response plan or new security controls.

This was first published in July 2013

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Essential Guide

Endless variety: Dealing with advanced threats

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close