Using RRL to Prevent DNS Amplification Attacks

Thursday, December 19, 2013

Allan Liska

A7bef9a8e31d3aa29e48f1a06ac84da1

One commonly used method of Distributed Denial of Service (DDoS) attack is a DNS Amplification attack.  DNS Amplification takes advantage of the stateless nature of DNS requests to create forged DNS requests through open recursive DNS servers and directs those requests to the target of the DDoS attack.

If the last sentence seemed like complete gibberish, it might help to given an example.  A hactivist decides she has a grudge against your fast food company becuase you only offer your Halloween Pumpkin Milkshake 2 months a year.  This hacker controls a botnet with 5,000 nodes, which can launch a 100 Megabit attack against your website.  This is not enough to take down your website, so you don't worry about it.  But, our determined hactivist has done his homework and identifies thousands of open resolvers.  An open resolver is a caching DNS server that allows anyone to make queries (if you have one you really should disable it).  

After identifying the open resolvers the attacker instructs her botnet to send forged DNS queries to the open resolvers with the IP Address of your webserver as the forged originating IP.  So, now, instead of a 100 Megabit attack you may be hit with a 10 Gigabit sustained attack.  How does that work?  By creating large DNS responses.  While the attacker's DNS queries are less than 512k the responses can be significantly larger.  For example, if you send an ANY query to Microsoft you get an 832k response:

-sh-3.2$ dig microsoft.com ANY

;; Truncated, retrying in TCP mode.  

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1 <<>> microsoft.com ANY

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42610

;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 5, ADDITIONAL: 10  

;; QUESTION SECTION:

;microsoft.com.                 IN      ANY  

;; ANSWER SECTION:

microsoft.com.          3600    IN      TXT     "v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:131.107.115.215 ip4:131.107.115.214 ip4:205.248.106.64 ip4:205.248.106.30 ip4:205.248.106.32 ~all" microsoft.com.          3600    IN      TXT     "FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVYNabdQ==" microsoft.com.          3600    IN      MX      10 mail.messaging.microsoft.com. microsoft.com.          3600    IN      SOA     ns1.msft.net. msnhst.microsoft.com. 2013081506 300 600 2419200 3600 microsoft.com.          3600    IN      A       65.55.58.201 microsoft.com.          3600    IN      A       64.4.11.37 microsoft.com.          172799  IN      NS      ns1.msft.net. microsoft.com.          172799  IN      NS      ns4.msft.net. microsoft.com.          172799  IN      NS      ns2.msft.net. microsoft.com.          172799  IN      NS      ns3.msft.net. microsoft.com.          172799  IN      NS      ns5.msft.net.   ;; AUTHORITY SECTION: microsoft.com.          172799  IN      NS      ns5.msft.net. microsoft.com.          172799  IN      NS      ns4.msft.net. microsoft.com.          172799  IN      NS      ns1.msft.net. microsoft.com.          172799  IN      NS      ns2.msft.net. microsoft.com.          172799  IN      NS      ns3.msft.net.   ;; ADDITIONAL SECTION: ns1.msft.net.           3599    IN      A       65.55.37.62 ns1.msft.net.           3599    IN      AAAA    2a01:111:2005::1:1 ns2.msft.net.           3599    IN      A       64.4.59.173 ns2.msft.net.           3599    IN      AAAA    2a01:111:2006:6::1:1 ns3.msft.net.           3599    IN      A       213.199.180.53 ns3.msft.net.           3599    IN      AAAA    2a01:111:2020::1:1 ns4.msft.net.           3599    IN      A       207.46.75.254 ns4.msft.net.           3599    IN      AAAA    2404:f800:2003::1:1 ns5.msft.net.           3599    IN      A       65.55.226.140 ns5.msft.net.           3599    IN      AAAA    2a01:111:200f:1::1:1   ;; Query time: 1 msec ;; SERVER: 199.58.210.9#53(199.58.210.9) ;; WHEN: Fri Aug 16 17:12:53 2013 ;; MSG SIZE  rcvd: 893

Running an ANY query against DHS.GOV returns a 4453K response:

-sh-3.2$ dig dhs.gov ANY ;; Truncated, retrying in TCP mode.   ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1 <<>> dhs.gov ANY ;; global options:  printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7097 ;; flags: qr rd ra; QUERY: 1, ANSWER: 35, AUTHORITY: 8, ADDITIONAL: 7   ;; QUESTION SECTION: ;dhs.gov.                       IN      ANY   ;; ANSWER SECTION: dhs.gov.                900     IN      RRSIG   TYPE51 8 2 900 20130824205017 20130814202047 35505 dhs.gov. HfARElBQz4seqIK0tXXq6SdESpsMpr3jOgmok9AZ0DPbGT3sjtGzZnrg yB+sTF5WeMCS2l85BvtIjdTqWUIt9R80VMBKGEKlN6max/vqQ8h09wqk q5rHod78qXVrqLM7QeN7Bo2BW5/wGpo1b/lMoJJ38xm8dob/WU7uDS7/ /M4= dhs.gov.                900     IN      RRSIG   TYPE51 8 2 900 20130824205017 20130814202047 50970 dhs.gov. mL2E0vW6pY+g0w3qN7qEnDiCJpu2B1JoG/MMSog73CSPSJIddOy11XI3 n4i99oCH7mxW3zltMxjxGfo2RtF0Cw/y1JH3lzbIWqTSIO5bh5bKeTn2 iCv0192xImxa7jh4olQhKPUbxdiVryc3fgAx6pVtSmmkKPpZXefXfyzT Xe4= dhs.gov.                900     IN      TYPE51  \# 11 0100000A06D74C53E10A09 dhs.gov.                432000  IN      RRSIG   DNSKEY 8 2 432000 20130824204826 20130814202545 6340 dhs.gov. phDh5VIA3LQMhxVyYSkh5zNjIRXrmut+ltLANu08vHzs5baK/NmW2I46 //tjPWlxxRb/a7Uq6lrDV6vwdM9CH0nsTurPsX+gSBi1QA95wHAhC8et hFYHkMfKxpaZH8LOWyYANrs1Q1D8rqYoxIBle/kpB2Jx3hvh939j3//e n7zzVXAraumzxWvQSySueFxTzQWmRdFTSGPYhfw0HkJvax59HXEoBLqP C1Lfdps4pN8TNz6OiR7QRAh8dQNyqutWEErI6I2OaoErFrbZEHIadkMq ncEZ5McU2oV3LcfTlvdeCNR4w64SL0M0cq01JVJvsyvL12iFHTkIRAMe fQmTug== dhs.gov.                432000  IN      RRSIG   DNSKEY 8 2 432000 20130824204826 20130814202545 35505 dhs.gov. r/nZTNnJwYa0OijRKkRrpAcWjYGUnclIDa/zgV0IF1jeDm3acztxXyW3 HwmyZqqdF6i0kOsHOCQDaLTALow0OD8n0pJnICHji4L7PMYbo8HII8AG xpvsrGa2RcowKJmWfukoXUzxFDVvJF3eou+ObJBdpXPW1kBeFSDY4Ud/ 0yg= dhs.gov.                432000  IN      RRSIG   DNSKEY 8 2 432000 20130824204826 20130814202545 50970 dhs.gov. UNDgPSVIg2iHJI3Up26xYfNF2S2Z6cxvKY79btL7W5iJ41jdm9XQl5g3 1uk/v/jL5+O9FipHy9e/th8+QpT8js3namWRvomZMbV2Auhl7u8bkw6T 6UYMwCzo5mM2n9aRKL6CIp6E5iZqUITqMwcx8NOYXiHo/bo9vCaaON/V 7c4= dhs.gov.                432000  IN      RRSIG   DNSKEY 8 2 432000 20130824204826 20130814202545 55984 dhs.gov. dhQxhmXXejyIrZ2dk8T3phdJg2jQGvnEaibKeV3Q+kAB10rw7PiL03S0 F5Fg5MicoH3g8GLj4TfcF1AUOkwNJmY9/UmnqXOr1KeYLqWPvtBckSMO 6VG9S6flI/STH0w0aJ6HuOfbdX0/QmmYYf841sGpeERiWbqD/56/Z5KO A7b8Q4vW87HkLktveakHiRsUOQse0PGZ08R9CeLuWKyzGhNS2pO6Vebi 7h2NNMaMMJMmBgbOdc7RsGFJstkTQfICvOJateGkx5V161v/YpSs2iAk hFQk/VCIFqGcQI0jhBVTkF7+FE0N6S+1E5LXVGj4vKsgwbXYiCQZ+HbD u6N+iQ== dhs.gov.                432000  IN      DNSKEY  256 3 8 AwEAAdr5ZcOawyjc0khJmGCs3zuAXF9dkMIvbO/Td9hCNeRt4GDnfBCR IVnv9DPjMk1N8659bNxnu23n5c2lQWkqRoV9kg3f0GA+Ebw4oFbug0KI 32785v1DIl4i+TGrPp7u64PIbablgilzkmH2NXH+qLJLyzfm3A8fUW56 Nu2bjF67 dhs.gov.                432000  IN      DNSKEY  257 3 8 AwEAAdCPBJACeS7+jhZV2p76YkyjtnL/395HFQLGoZhCSTmcjFbxZc4Y ZP9428VwE6ZjSi0m0UhWPqtRIpgIHP0mbWGfVz/OLDiI4bt3sHYmNjT1 bY9xxkUQEbfSTIaWgW7U6q7QjPVJ3lH3suT0kC70snNdWmWLkIbo74P4 SbxCXIzBYU+D/hfhC3pyFl63U8JFlWTBOi1hNmh0dXycUlRTkkxFv4V2 3okFI1+kpFZFZ5O+IJNzhuLPYpabFkpm5p0PvKN9+RZE/kKacrb372i7 NXQeU0LFEUmBBFHbOX5wI8pwEo1pXVwGVTgbmDX/QikbKvjMBiEHEz1M pccFjQ3qfis= dhs.gov.                432000  IN      DNSKEY  257 3 8 AwEAAe2TaoLtHepWJ4MrICWbyzuipCC2Rit/F3ngUyTFF/tcmZfSjv7j DzACk78iG91unXqqZefS+wqYoNBahITzuduzax+j5QEPE9l2O4OyldT/ lhPIcFmxe5n+H7BFuElwbRqmq1CF/Gq6auNaAlDTQSw35EQpJVrMw5o3 oXQtC+Fs7zDzvrMY+I4Kd87Mg5aAp83c/Ju6QiRGMb5l3maLg+ofbdTN KAYVEfPPqUxlYjpa+UDyjuEB1EeKcnpw4H02PHPZNN1k6GCTjkkjUvqS T+EEtpb/nWdJUf+t2xqnY6TzUgMtrAD2ryV8x2keSdShCNKp9QAjRmHB n5CBN15htQc= dhs.gov.                432000  IN      DNSKEY  256 3 8 AwEAAdqX4Bc6MQUoLVLjg5ZdPiJvRzgAfw1h3Rjdm8c67E8h0uegaeJC jR1piVN/yXIAksqMOsd4ExtQCcbAmc1p+yDdL/VIr9B8FDpCply3J/z5 7x2NMDqrtNwgrxmwETEvQtdUHVDs/bq6ntbuiedO4RM9D2smgOCfamf/ kll4nKCj dhs.gov.                28800   IN      RRSIG   MX 8 2 28800 20130825164115 20130815163139 35505 dhs.gov. hx8ipwMvRF2Rzi7E3HGVMPEffuq4W+U3Y8Dhw0kJ+3vNpDCikWPbPcCh kQKVvJyIEwdcbubkedIul8bcO5/STnAyN+l61qGT/AOhFvTCBSVr7evf F0zdVU2W2DbSnivF3BR5GAjqm6lXL/mowiCjRq7KcCaofwWnlZujmwQS oso= dhs.gov.                28800   IN      RRSIG   MX 8 2 28800 20130825164115 20130815163139 50970 dhs.gov. XdgjtPV4+11HJVNkSSzblg/6rKaou7gmaCm3+NW1aUhRM/eA9a0v/RUd 2KcznCghAPu4jcePMqs+4BoqQbGVF5C7CZvZBizXQNBwOvM1i8iJlmJy R/GrnEX8w8uQ4CQyP5zqLcDCgpZhso/r7cSoF2wy6vH+mvSj2Um7UASv T5Y= dhs.gov.                28800   IN      MX      10 mail.us.messaging.microsoft.com. dhs.gov.                28800   IN      RRSIG   SOA 8 2 28800 20130826103555 20130816093555 35505 dhs.gov. yYbMLFPwR1TvX4sR8+DXNB8m25rKuH6ULZtnh4dBiVcHc5fwflTXIHqR +KLOM77uPV0g2O4tLDxHZeCCxCO5qRlGPy1HMA6jxsM121xZyV6L8GcU egTr/G6G51GA0gK0/For8rScN33pPSn1f++1F5GkFORPIIwgq+qqBhnh acU= dhs.gov.                28800   IN      RRSIG   SOA 8 2 28800 20130826103555 20130816093555 50970 dhs.gov. Es4oH8nJVt9IrM64FAeW6wmzNGvTUQpEFttwKOaCU1jicX70fkkWp8xM 3jJ90KBdaYV8wc5SYqnm3Dvdv0N6h6Zp7V+zZgAWYtxG0L25q05jmcZ7 KrVNVegupNSFRjlXx/I4bGjXDMGSUwCVvUJOxrDIdKDSqtl8ljjnfVjC Nx0= dhs.gov.                28800   IN      SOA     ns5.dhs.gov. dnssec1net.cbp.dhs.gov. 2008084610 10800 1080 604800 900 dhs.gov.                28800   IN      RRSIG   NS 8 2 28800 20130826103306 20130816093540 35505 dhs.gov. b4j8L1J8E4esATBT2naapjrSzAU1nYDfvI6GYCsMuLJf/dgI/s1tRnpA PZprb6Ia0XapPya8bFunq2oA0MNCmL1fYsvH05tSiSadRkdR765aFfV1 qEsa9UPK96uzYFuAen16tD4XjtaVpVBhKbnWW/eFMX4E9Ue1R8YAm4aj IkA= dhs.gov.                28800   IN      RRSIG   NS 8 2 28800 20130826103306 20130816093540 50970 dhs.gov. NDN1xTmjgBvlwZsdUhzUgbAfsKqJsqoxjcKDV9msPt/W1MpTnRYpHAvu gGODPKD8P7/hkxMsO2nHkvTp0G0fz3et5lLfXLMpJLwu+s/fbKNl+9Lh QxAFGa1PbyLh5R/etvxS3kqr6XJqZOWxEFaEuKsv8Q1qu3fNi3J/CAYB gqg= dhs.gov.                900     IN      RRSIG   A 8 2 900 20130826020707 20130816011426 35505 dhs.gov. yt+pKyKjeLs5KCiMXPIPXbjHKzXwmZ2aZAAjAZeSdiGitZJBioIrIDER ozRW5H1o4Bt1RL3b3CS4fSBb8A8Ip5iqXKISWlKkCnbzag/Qwokf3ao9 e3pi41sRgjiPyYojCh4+xvgC5GUP5YxXI+iqdpSp7nyoJGHPQ7K4mwXY Inw= dhs.gov.                900     IN      RRSIG   A 8 2 900 20130826020707 20130816011426 50970 dhs.gov. itIc6xp9Bi0JNqMRFwJKwTUzWdEOJM9JfKRima/pHzebqytyYoHjgWdO eJsbx0CpOunBJv1mbQMA5kD19JrriTIkryrgNuotHswJFWsLC6RqiVMj qE1c/LfZqflOsEpI6Bd4VdhWHe7A96lPxjaK5rTTxUsP2AjpIYrmRki0 1Q8= dhs.gov.                900     IN      A       173.252.133.166 dhs.gov.                3600    IN      RRSIG   DS 7 2 3600 20130821100026 20130816100026 58219 gov. KZTyE5CWJARJiY/h2O0y6mH1BzwsuDQUMyzlM3TNA/50iMs9zE1LQhZw kViqgHttxZr+Ct23FdwStfamCMP9KVCCau2gs+xW/6P764GWnzyqcy9R 1KohrdxySvsozG++VbiCbkSKZ7+CO8trJHRVFyInC5y4W+vKavpv/m6Q 49RW8VBMUDpPXVxA3ZqaXMrV8A0jSEbMvf+9Xuzd2KBL7awuL+clIvd4 atcxywlToOrG99VPj9zataYkdB/buYmEI9vT7MW/wYKJOPDdvmMxeLUX g15R8c6CqW45837oGIzV6sPmC9RIMH4sE35q9WVcNY+iO3KV5FhWWLrO qW8c7Q== dhs.gov.                3600    IN      DS      6340 8 2 28CE7678822B31AA9CCCBF1B27F795BE02BE1355AB6C892C35D11C68 758F75FB dhs.gov.                3600    IN      DS      55984 8 1 79494AAC6BA3A4C1A7749E48443D7150477DEE6E dhs.gov.                3600    IN      DS      55984 8 2 5C3A89A0E66C52C15CE4FA578CB5AF390A42A706B02E9F8105558539 F8216C7B dhs.gov.                3600    IN      DS      6340 8 1 FF3933AE3D8FD8C4DF64A203F72B86B668AC3677 dhs.gov.                28800   IN      NS      use3.akam.net. dhs.gov.                28800   IN      NS      usc2.akam.net. dhs.gov.                28800   IN      NS      asia2.akam.net. dhs.gov.                28800   IN      NS      usw3.akam.net. dhs.gov.                28800   IN      NS      eur2.akam.net. dhs.gov.                28800   IN      NS      use1.akam.net. dhs.gov.                28800   IN      NS      usw4.akam.net. dhs.gov.                28800   IN      NS      asia3.akam.net.   ;; AUTHORITY SECTION: dhs.gov.                28800   IN      NS      asia3.akam.net. dhs.gov.                28800   IN      NS      usc2.akam.net. dhs.gov.                28800   IN      NS      usw4.akam.net. dhs.gov.                28800   IN      NS      eur2.akam.net. dhs.gov.                28800   IN      NS      use3.akam.net. dhs.gov.                28800   IN      NS      usw3.akam.net. dhs.gov.                28800   IN      NS      use1.akam.net. dhs.gov.                28800   IN      NS      asia2.akam.net.   ;; ADDITIONAL SECTION: eur2.akam.net.          58651   IN      A       2.16.40.64 usc2.akam.net.          90000   IN      A       69.31.59.199 use1.akam.net.          86294   IN      A       72.246.46.2 use3.akam.net.          90000   IN      A       204.2.179.179 usw3.akam.net.          90000   IN      A       69.31.59.199 asia2.akam.net.         67094   IN      A       195.10.36.47 asia3.akam.net.         12225   IN      A       222.122.64.134   ;; Query time: 2 msec ;; SERVER: 199.58.210.9#53(199.58.210.9) ;; WHEN: Fri Aug 16 17:20:58 2013 ;; MSG SIZE  rcvd: 4453  

As you can see, by forging a proper query an attacker can cause significant damage against a host, even with a relatively modest botnet.  The other advantage of a DNS Amplification attack is that it is practically untraceable.  The attacks appear to be coming from DNS servers all over the Internet which are most likely not logging the requests -- so there is not even a trail back to the botnet members, much less our milkshake loving hacker.  

First proposed by Paul Vixie and Vernon Schryver in April 2012 DNS Rate Reponse Limiting (RRL) is a method for preventing a caching server from being used in a DNS Amplification attack by maintaining information about the types of queries that have been made.  So, it does not change the nature of DNS, instead the server itself keeps tracks the types and numbers of queries made and limits the number of responses it will return.  I recommend reading the full technical note for all the details, but it boils down to that in BIND an administrator can now create limitations based on fields such as responses per second, errors per second, netblocks to which responses are sent and more.  The RRL capability is implmented in BIND 9.9.4, hopefully other DNS implementations will follow.  

ISC, the organization that maintains the BIND source code is offering a free webinar on how to implement DNS RLL on Wednesday August 21st if you want to learn more about this capability.

Cross Posted from the Symantec Cyber Readiness and Response Blog

7363
Firewalls IDS/IDP Network->General
DNS Amplification Attacks Paul Vixie BIND
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.