Endless variety: Dealing with advanced threats
A comprehensive collection of articles, videos and more, hand-picked by our editors
What is a DNS reflection denial-of-service (DoS) attack? How is it different from a DoS attack, and how can we...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
defend against one?
Ask the Expert!
SearchSecurity.com expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
A DNS reflection DoS attack is an application-layer DoS attack that exploits vulnerabilities in DNS servers and insecurely configured networks. CloudFlare has a good blog post outlining the issue with DNS reflection DoS attacks. In a DNS reflection DoS attack, a client, like a desktop, makes a forged DNS request from the distributed DoS (DDoS) target's IP and the DNS server sends a DNS response to a spoofed IP. The DNS response is relatively large, resulting in a large amount of traffic sent to a targeted host and thereby creating a denial of service. DNS reflection attacks differ from DDoS attacks by botnets in that the DNS servers are not responsible for maintaining secure networks.
Reflection DDoS attacks, or the use of spoofed source addresses to exploit vulnerabilities in different network protocols as a part of DDoS attacks, will only grow, given the increasing sophistication of content distribution networks that are used to protect websites from DDoS attacks. Future attacks could target multicast or high-bandwidth User Datagram Protocol video protocols. Attackers may even attack customers of high-profile websites to disrupt business.
The Open Resolver project is an industry effort to track and encourage Internet infrastructure operators to secure their DNS servers, referencing instructions from Team Cymru on how to secure name servers. Organizations should also follow BCP38, which provides info on using ingress filtering to deal with DoS attacks that used forged IP addresses.
Restricting external access to open DNS resolvers could help reduce the impact of a DNS reflection DoS attack, along with throttling inbound and outbound DNS traffic at ISPs. Organizations can also monitor their DNS servers and network. Spikes in bandwidth, a high number of queries for a specified name or IP, or malformed DNS packets may indicate that the organization is participating in an attack. Organizations might also want to include DNS reflection DoS attacks in planning exercises and determine whether they are a high enough risk to justify an incident-response plan or new security controls.
Related Q&A from Nick Lewis
Locky ransomware has, again, changed tactics by moving to using LNK files for distribution. Expert Nick Lewis explains how enterprises can adjust ...continue reading
Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime ...continue reading
Drammer, or a deterministic Rowhammer attack, was found to be more effective on ARM-based mobile devices. Expert Nick Lewis explains the issue with ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.