Prevent DDoS DNS amplification attacks by securing DNS resolvers

Expert Nick Lewis details how misconfigured DNS resolvers can be used for DDoS DNS attacks and how organizations can secure them.

HostExploit has indicated that open and misconfigured DNS resolvers can be used in amplified distributed denial-of-service...

(DDoS) attacks. How can an organization tell if its DNS resolvers are being used for such attacks, and how can DNS resolvers be secured?

Ask the Expert

Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)

The domain name system (DNS) is one of the most critical services keeping the Internet working, but it's also been one of the most popular targets for attackers. DNS resolvers are the servers that client systems use to resolve domain names. There are around 10 million DNS resolvers. As HostExploit notes in its World Hosts Report, many of these DNS resolvers are misconfigured and can be used in a DDoS DNS amplification attack, which involves misconfigured servers being tricked into sending large DNS responses in order to overwhelm a target's network connection.

To detect whether DNS resolvers are being abused, an organization can use an intrusion detection system (IDS) to detect malformed DNS packets or review the logs of the DNS server. The network or logs can be monitored to look for malicious hosts making a large number of queries in a short period of time or requesting the same name with a large DNS response multiple times from the same IP. Such attacks can also be detected by monitoring bandwidth for a significant amount of traffic sent to a specific IP or network.

Google provides details on the security of their public DNS resolvers and outlines steps that can be taken to secure DNS. Cisco also has a DNS best practice guide that outlines its security recommendations. Both offer recommendations for securing DNS resolvers, but one of the key steps to preventing DNS resolvers from being used to amplify a DDoS attack using forged source IPs is for ISPs to prevent IP spoofing. Organizations should check with their ISPs to ensure the necessary spoofing protections are in place and see if they are following the Internet Egnineering Task Force's BCP38. IP spoofing can be severely limited by ISPs restricting their customers to only sending packets using their approved IP network addresses. By stopping IP spoofing, the DNS servers can be prevented from participating in a DDoS attack by forcing all of the DNS traffic to be sent to a legitimate requestor.

This was last published in April 2013

Dig Deeper on Web Server Threats and Countermeasures