Bobcares

DNS Amplification Attack – How to Mitigate

by | Feb 19, 2021

Wondering how to mitigate DNS amplification attack? We can help you.

We know that DDoS tries to deny the important services that run on the server by sending enormous traffic to the destination server so that the server can’t handle them.

DNS amplification is a Distributed Denial of Service (DDoS) attack in which the attacker exploits vulnerabilities in domain name system (DNS) servers to turn initially small queries into much larger payloads, which are used to bring down the victim’s servers. So it is important to protect servers from DDoS to avoid server downtime.

Here at Bobcares we often handle DDoS attacks as a part of our Server Management Services.

Today let’s see how our Support Engineers mitigate DNS Amplification Attack for our customers.

How does a DNS amplification attack work?

Before going into the steps to mitigate we see how this DNS amplification attack works.

A DNS amplification can be broken down into four steps:

1. Firstly, the attacker uses a compromised endpoint to send UDP packets with spoofed IP addresses to a DNS recursor. This spoofed address on the packets points to the real IP address of the victim.
2. Each one of the UDP packets makes a request to a DNS resolver, often passing an argument such as “ANY” in order to receive the largest response possible.
3. After receiving the requests, the DNS resolver, which is trying to be helpful by responding, sends a large response to the spoofed IP address.
4. The IP address of the target receives the response and the surrounding network infrastructure faces high traffic, resulting in a denial-of-service.

How to mitigate DNS amplification attack?

Now let’s see the steps which our Support Techs follow to mitigate DNS amplification attack.

Most of the time the Internet Service Provider (ISP) may blackhole all traffic to the targeted victim’s IP address, protecting itself and taking the target’s site offline.

1. Reduce the total number of open DNS resolvers

An essential component of DNS amplification attacks is access to open DNS resolvers.

However, DNS resolvers should only provide their services to devices that originate within a trusted domain.

In reflection-based attacks, the open DNS resolvers will respond to queries from anywhere on the Internet, allowing the potential for exploitation.

So we can restrict a DNS resolver to only respond to queries from trustworthy sources.

2. Source IP verification – stop spoofed packets leaving the network

As the UDP requests being sent by the attacker’s botnet will have a source IP address spoofed to the victim’s IP address.

This is the key component that helps in reducing the effectiveness of UDP-based amplification attacks is for Internet service providers (ISPs) to reject any internal traffic with spoofed IP addresses.

If a packet is being sent from inside the network with a source address of this kind is dropped.

3. Disabling Recursion on Authoritative Name Servers

Systems do not need to support recursive resolution of other domains on behalf of a client and should be configured after disabling recursion.

Bind9

Add the following to the global options:

options {
allow-query-cache { none; };
recursion no;
};

Microsoft DNS Server

In the Microsoft DNS console tool:

a. First, right-click the DNS server and click Properties.
b. After that click the Advanced tab.
c. Finally, in Server options, select the “Disable recursion” check box and then click OK.

4. Use a DNS-aware firewall.

We can use a DNS-aware firewall to only allow DNS responses into the network that match requests sent from local DNS servers.

5. Use DNS Anycast

A DNS Anycast will help to distribute traffic and avoid overloading any single DNS server.

6. Using third-party DDoS protection.

We can use any third-party DDoS protection like a scrubbing service.

7. Limiting Recursion to Authorized Clients

For DNS servers that are deployed within an organization or Internet Service Provider, the resolver should be configured to perform recursive queries on behalf of authorized clients only.

BIND9

In the global options, include the following:

acl corpnets { 192.x.x.x/24; 192.x.x.x/24; };
options {
allow-query { any; };
allow-recursion { corpnets; };
};

Microsoft DNS Server

It is not currently possible to restrict recursive DNS requests to a particular client address range in Microsoft DNS Server.

8. Response Rate Limiting (RRL)

There is currently an experimental feature available as a set of patches for BIND9 that allows an administrator to limit the maximum number of responses per second from being sent to one client from the name server.

BIND9

On BIND9 implementation running the RRL patches, include the following lines to the options block of the authoritative views:

rate-limit {
responses-per-second 5;
window 5;
};

Microsoft DNS Server

In Windows Server 2016, the Set-DnsServerResponseRateLimiting cmdlet enables RRL with default settings.

[Need assistance? We are happy to help you!]

Conclusion

In short, DDoS attacks can really freeze websites or even cause server downtime. Though there is no perfect solution for DDoS, we can use the steps which our Support Techs follow to mitigate this to a great extent.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF