A security report reveals that the number of DNS Amplification attacks done in the first quarter (Q1) of 2018 have doubled. By definition they are a type of DDOS (Distributed denial of service) attacks which are among the most common hacking tactics. The end goals are to sabotage the targets by rendering the servers inaccessible.
DNS Amplifications Attacks Rampage! Number of Reported Incidents Doubled
Security reports indicate that the number of DNS amplification attacks have doubled in the first three months of 2018 (Q1). This shows that the hackers have shifted tactics by preferring this method over others. The published information reveals that they have spiked nearly 700% year-over-year. The attacks are being done by accessing the open DNS servers to flood the target systems with response traffic. This is done by following these preset steps:
- Target Selection — The hackers pinpoint their targets by finding out their associated DNS servers.
- Packets Creation — After the criminals have selected their targets they begin to send lookup requests with spoofed source addresses. As a result the servers start to send out responses to another server. The attackers aim to include as much information as possible.
- DNS Amplification — The attacks are orchestrated as soon as the servers start to generate the associated responses to the end victims. The analysis team reports that in the majority of cases the requests to the DNS servers use the “ANY” parameters which returns all known information about the DNS zones in a single request. As a result the large amount of generated data that is fed to the victim end targets can easily take them down.
The DNS amplification attacks are easily orchestrated over hacker tactics such as botnets. In such cases it is very difficult to defend against incoming waves leveraging the attack. There is no easy way to filter the incoming data for spoofed packets as all of the content practically lists legitimate data. They also come from valid servers.
The criminals use a combination of multiple strategies by sending packet requests utilizing network time protocol (NTP), universal datagram protocol (UDP) and etc. When they are leveraged using botnets or other advanced infrastructure. The top sources for DDOS attacks in Q1 2018 are China, USA and Vietnam taking first, second and third place.
DNS Amplifications Attacks Mitigation Methods
The network administrators can attempt to use specialized web-based scanning tools that can analyse networks for vulnerable DNS resolvers. This shows that list of potential hosts that may possibly be used by hackers for DNS amplification attacks. The security researchers state that it is possible to filter out some of the attacks by looking up if the received packets have a matching request.
The Internet service providers (ISPs) can also help in preventing the attacks rejecting packets that have source addresses not reachable via the packet’s path. Such changes will need to be implemented by the ISPs and not all of them have adopted this security recommendation. DNS service owners can also disable recursive information to external clients. According to the best security guidelines the recursive resolution of other domains is not required and should be disabled.
What is more striking about this hacker tactic is that it relies on poor configuration of web services that are (by principle) public for use by all client types. The fact that the DNS amplification attacks have doubled for Q1 2018 shows that there is much to be done by system administrators, ISPs and all other responsible parties.