Problem solve Get help with specific problems with your technologies, process and projects.

How a DNS reflection attack differs from a standard DoS attack program

A DNS reflection attack is like a regular denial-of-service attack, but much worse. Nick Lewis explains why.

What is a DNS reflection denial-of-service (DoS) attack? How is it different from a DoS attack, and how can we...

defend against one?

Ask the Expert! expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)

A DNS reflection DoS attack is an application-layer DoS attack that exploits vulnerabilities in DNS servers and insecurely configured networks. CloudFlare has a good blog post outlining the issue with DNS reflection DoS attacks. In a DNS reflection DoS attack, a client, like a desktop, makes a forged DNS request from the distributed DoS (DDoS) target's IP and the DNS server sends a DNS response to a spoofed IP. The DNS response is relatively large, resulting in a large amount of traffic sent to a targeted host and thereby creating a denial of service. DNS reflection attacks differ from DDoS attacks by botnets in that the DNS servers are not responsible for maintaining secure networks.

Reflection DDoS attacks, or the use of spoofed source addresses to exploit vulnerabilities in different network protocols as a part of DDoS attacks, will only grow, given the increasing sophistication of content distribution networks that are used to protect websites from DDoS attacks. Future attacks could target multicast or high-bandwidth User Datagram Protocol video protocols. Attackers may even attack customers of high-profile websites to disrupt business.

The Open Resolver project is an industry effort to track and encourage Internet infrastructure operators to secure their DNS servers, referencing instructions from Team Cymru on how to secure name servers. Organizations should also follow BCP38, which provides info on using ingress filtering to deal with DoS attacks that used forged IP addresses.

Restricting external access to open DNS resolvers could help reduce the impact of a DNS reflection DoS attack, along with throttling inbound and outbound DNS traffic at ISPs. Organizations can also monitor their DNS servers and network. Spikes in bandwidth, a high number of queries for a specified name or IP, or malformed DNS packets may indicate that the organization is participating in an attack. Organizations might also want to include DNS reflection DoS attacks in planning exercises and determine whether they are a high enough risk to justify an incident-response plan or new security controls.

This was last published in July 2013

Dig Deeper on DDoS attack detection and prevention