Endless variety: Dealing with advanced threats
A comprehensive collection of articles, videos and more, hand-picked by our editors
What is a DNS reflection denial-of-service (DoS) attack? How is it different from a DoS attack, and how can we...
defend against one?
Ask the Expert!
SearchSecurity.com expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
A DNS reflection DoS attack is an application-layer DoS attack that exploits vulnerabilities in DNS servers and insecurely configured networks. CloudFlare has a good blog post outlining the issue with DNS reflection DoS attacks. In a DNS reflection DoS attack, a client, like a desktop, makes a forged DNS request from the distributed DoS (DDoS) target's IP and the DNS server sends a DNS response to a spoofed IP. The DNS response is relatively large, resulting in a large amount of traffic sent to a targeted host and thereby creating a denial of service. DNS reflection attacks differ from DDoS attacks by botnets in that the DNS servers are not responsible for maintaining secure networks.
Reflection DDoS attacks, or the use of spoofed source addresses to exploit vulnerabilities in different network protocols as a part of DDoS attacks, will only grow, given the increasing sophistication of content distribution networks that are used to protect websites from DDoS attacks. Future attacks could target multicast or high-bandwidth User Datagram Protocol video protocols. Attackers may even attack customers of high-profile websites to disrupt business.
The Open Resolver project is an industry effort to track and encourage Internet infrastructure operators to secure their DNS servers, referencing instructions from Team Cymru on how to secure name servers. Organizations should also follow BCP38, which provides info on using ingress filtering to deal with DoS attacks that used forged IP addresses.
Restricting external access to open DNS resolvers could help reduce the impact of a DNS reflection DoS attack, along with throttling inbound and outbound DNS traffic at ISPs. Organizations can also monitor their DNS servers and network. Spikes in bandwidth, a high number of queries for a specified name or IP, or malformed DNS packets may indicate that the organization is participating in an attack. Organizations might also want to include DNS reflection DoS attacks in planning exercises and determine whether they are a high enough risk to justify an incident-response plan or new security controls.
Related Q&A from Nick Lewis
Conficker malware was found in a German nuclear power plant computer system. Expert Nick Lewis explains the possible impact of malware infections of ...continue reading
OneSoftPerDay, an adware program can install backdoors on PCs, is able to avoid detection from antimalware tools. Expert Nick Lewis explains how to ...continue reading
The hot-patching feature in Windows servers is vulnerable to attacks from APT groups. Expert Nick Lewis explains what hot patching is and how to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.