What is a DNS reflection denial-of-service (DoS) attack? How is it different from a DoS attack, and how can we...
defend against one?
Ask the Expert!
SearchSecurity.com expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
A DNS reflection DoS attack is an application-layer DoS attack that exploits vulnerabilities in DNS servers and insecurely configured networks. CloudFlare has a good blog post outlining the issue with DNS reflection DoS attacks. In a DNS reflection DoS attack, a client, like a desktop, makes a forged DNS request from the distributed DoS (DDoS) target's IP and the DNS server sends a DNS response to a spoofed IP. The DNS response is relatively large, resulting in a large amount of traffic sent to a targeted host and thereby creating a denial of service. DNS reflection attacks differ from DDoS attacks by botnets in that the DNS servers are not responsible for maintaining secure networks.
Reflection DDoS attacks, or the use of spoofed source addresses to exploit vulnerabilities in different network protocols as a part of DDoS attacks, will only grow, given the increasing sophistication of content distribution networks that are used to protect websites from DDoS attacks. Future attacks could target multicast or high-bandwidth User Datagram Protocol video protocols. Attackers may even attack customers of high-profile websites to disrupt business.
The Open Resolver project is an industry effort to track and encourage Internet infrastructure operators to secure their DNS servers, referencing instructions from Team Cymru on how to secure name servers. Organizations should also follow BCP38, which provides info on using ingress filtering to deal with DoS attacks that used forged IP addresses.
Restricting external access to open DNS resolvers could help reduce the impact of a DNS reflection DoS attack, along with throttling inbound and outbound DNS traffic at ISPs. Organizations can also monitor their DNS servers and network. Spikes in bandwidth, a high number of queries for a specified name or IP, or malformed DNS packets may indicate that the organization is participating in an attack. Organizations might also want to include DNS reflection DoS attacks in planning exercises and determine whether they are a high enough risk to justify an incident-response plan or new security controls.
Dig Deeper on DDoS attack detection and prevention
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading