Can DNS Attacks Threaten the Internet on a Large Scale?

Tuesday, March 27, 2012

Alan Woodward


There has been much talk about the ability of a group such as Anonymous to render the Internet unusable by an attack. 

The attack most often talked about in 2012 has been the disabling of the Domain Name Service (DNS), possibly using what is known as Denial Of Service (DOS) attacks. 

Attack against the Domain Name System (DNS) is possible and would mean that the names you type into the address bar of your browser (URLs) like which are all converted into the addresses that the Internet actually uses (IP addresses) by the DNS servers, would fail. 

And unless you know the IP address the Internet would, for all intents and purposes, stop.

Opinions range from the panic stricken to complete incredulity that such a thing is possible.  As ever the truth lies somewhere in between the two.  So, I wanted to make a few points that will hopefully clarify the debate.

image(click image to enlarge)

For those, unfamiliar with DOS attacks you might like to start by reading up here.  The concept isn't complex.  You simply flood a webserver with some many requests that it can no longer respond to the legitimate requests. 

One of the ways the hackers generate this volume of requests is by co-opting otter machines to collaborate by simultaneous sending many requests.

Using malware to turn your machine into a "bots" (short or "robots") that can do the hackers' bidding, the user often doesn't know that their machine is participating in such an attack.

Such an attack was used to prevent visitors reaching the Interpol site on 28th February 2012: a retaliatory act for recent arrests.  This was done using a tool developed by the group Anonymous, which they called their "High Orbit Ion Cannon" (HOIC). 

A rather grand name for something that essentially sends up to 256 HTTP POST and GET requests, ramps up to about 2MB/s, and is written in BASIC.  But, get enough of these or similar tools firing away at the same target and you'll stop others using it.

(click image to enlarge)


The obvious question is why one can't simply block the traffic from an address that is firing too many requests at your site.  I won't try to answer that here but suggest you go read my article on the BBC site at:  Suffice to say, you can obscure where the attack is coming from.  Not to mention that if it is a bot-based attack then the attackers are actually innocent parties.

So, what has this got to do with making the whole Internet unavailable?  It's inconvenient for the individual sites attacked but no one could generate enough traffic to stop the whole Internet.  Could they?  As ever, the answer is "that depends".

The classic attack until recently against the DNS has been to hijack the DNS a reroute requests for a site to an IP address under the control of the hackers.  A large part of East Africa suffered this recently with sites from Google to Microsoft being diverted to a site that talked about rights in a northern African country. 

You know it's happened and you can fix it quite quickly if you can get control of the DNS back.   However, if these DNS servers were unavailable en mass then typing the URLs into your browser would result in nothing as the translation to an IP address would never happen it would time out.  But the DNS servers are all around the world so how could they hit all of these servers simultaneously?   image

(click image to enlarge)

The reason this attack is theoretically possible is that the DNS is a hierarchy.  At the top level are 13 servers.

Disrupt these 13 servers and you could disrupt the entire DNS network.  Not surprisingly the authorities know this and they put a lot of effort into ensuring that the DNS network can cope with a DOS attack. 

And, if it were only the standard DOS we were concerned with, we might be able to sit back and feel comfortable, or at least as comfortable as anyone can these days on the Internet.  

However, there is a particular form of DOS that is not so much on the DNS but subverts the DNS to undertake the attack.  This attack could potentially be many times more voluminous than "traditional" DDOS attacks might suggest is possible. 

It relies upon what is known as "DNS Amplification".  The attack was detailed in a paper as far back as 2006 (here) and has been discussed amongst the cyber security community since 2002. In essence, the attack relies upon exploiting "DNS recursion".  What's that?  Well, a DNS resolver can work in either iterative mode and a recursive mode.

In the iterative mode, the resolver first asks the root nameservers for the top-level domain's nameservers, then queries the top-level domain's nameservers for the second level domain's nameservers, and so on. The resolver contacts the different nameservers directly, one by one, each time reverting the top-level server until it has either found the answer it needs or given up because the answer doesn't exist.

In recursive mode, the resolver's job is much simpler as it asks one DNS server for the whole name, then leaves it to the server to perform all the necessary requests (either recursive or iterative) on its behalf.

So what's the problem? Well, the response to a DNS query can be considerably larger than the query itself, and the IP address from which the request was sent can be spoofed causing the response to be sent to another machine. An attacker finds a machine that does recursive look ups, he sends a large number of requests and spoofs the IP address so that the responses are sent to a victim machine.

A relatively small amount of data then results in a large amount of data being fired at the victim machine.  As the size of the responses is so much larger than the requests used to trigger the high volumes of traffic it has become known as an "amplification attack".

Do this with enough DNS machines and you can have the DNS network flooding the very network it is supposed to be serving.

Now best practice does say that recursive querying should be disabled but few are.  So, find yourself a large number of DNS servers and fire off enough of these requests and you could certainly flood entire segments of the Internet with so much traffic that it became unusable. 

Such an attack has already happened.  One ISP suffered an attack that employed 140,000 DNS servers and was able to generate over 10GB/s of data to flood the ISP network.

So, whilst a group of hackers might not be able to disable the Internet using DNS servers in the way originally talked about, there are other possibilities.  And, consider for a moment what would happen if the DNS network were used to attack itself using such an amplification technique.

To those who say our DNS infrastructure can never be used to disable to Internet I say, never say never.

Cross-posted from Alan Woodward

Possibly Related Articles:
Information Security
Denial of Service Browser Security Botnets DNS internet Attacks Anonymous Servers hackers Attack Vector
Post Rating I Like this!
Robin Jackson OK, this is total FUD. First and foremost, there are FAR MORE than 13 TLD servers, they are scattered around the Internet and designed to be highly redundant. Then there is the question of WTH does HOIC have to do with ANYTHING. DNS is a UDP protocol message on port 53. You really should get down here in the weeds.
Alan Woodward Yes we all know that it is not just 13 physical servers, but there isn't room in 1000 words to describe that. For anyone wanting to see the actual configuration of the 13 TLDs they can always visit:
Also, I do not say that HOIC is used to attack DNS. I use it simply as one example of a type of DDOS attack.
As to being FUD, you may care to simply Google DNS Amplification attack and read the many papers and articles that discuss the issue. There are many far more expert than me in DNS and I'm sure they all have reasons why this cannot happen but the main point I am trying to make is that DNS is not invulnerable and attacks may come from where you might not expect.
Robin Jackson If you were discussing the threat of a DNS amplification attack, there is no need to reference the TLD's. A single network is susceptible to such an attack, but it has nothing to do with the TLD's not being available. It's simply volumes of traffic that are meant to bog a system. At best you're mixing paradigms but you make SEVERAL references to the unavailability of the TLDs which seems to be the point that you were suggesting. IMHO
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.