Author Topic: DNS Amplification Attacks  (Read 1662 times)

Offline W1nTry

  • Administrator
  • Akatsuki
  • *****
  • Posts: 11329
  • Country: tt
  • Chakra 109
  • Referrals: 3
    • View Profile
  • CPU: Intel Core i7 3770
  • GPU: Gigabyte GTX 1070
  • RAM: 2x8GB HyperX DDR3 2166MHz
  • Broadband: FLOW
  • Steam: W1nTry
  • XBL: W1nTry
DNS Amplification Attacks
« on: August 07, 2006, 09:52:35 AM »
This would be particularly useful to site admins, Baego?
Quote
DNS amplification attacks explained

Defcon 2006 The new way to flood

By Charlie Demerjian in Las Vegas: Sunday 06 August 2006, 21:50
 
YOU MAY HAVE heard about a class of attacks called DNS amplification attacks recently, they are a real nasty and subtle class of DDOS attack. Like ping flooding and smurfing they depend on sending large amounts of data across a pipe and drowning out any legit data.

You may notice he amplification part in the name, and that is the key here. What it does is turn a few bytes of data into a stream many times as large. In the case of the one discussed at Defcon, it took a 20 byte packet and turned it into 8.5K, with this ratio, you can take a cable modem and turn it into gigs a second of traffic. Toss a botnet into this, and you can crush the life out of any target you want.

The mechanism it works on is pretty simple. There is a DNS query of a type called 'any', and in the real world, it is pretty useless. If you send that query to an authoritative DNS server, it will return anything it has, which is everything. If you send it to a non-authoritative source, it simply returns what it has, usually little or nothing.

One other thing to note is that DNS as was originally specified has a 512 byte maximum message size. This was later extended so that if you needed more, it could do that. If your server didn't like the extended size, it would stop using UDP and set up a TCP connection, hugely expensive in computational terms, to send the data.

What the amp attacks do is hack an authoritative server and put in a large text field on a record, not large in the MS Word sense, but a few K of text. One person in the audience said he scans DNS servers, and on one he found large chunks of the book of revelations in a record. This probably is not RFC compliant, but the text with the four horsemen used as a DDOS is more than mildly ironic.

The next stage is a little more complex, you take a list of open DNS servers and query them for the record you hacked. They dutifully go out and look it up, download a few K of text, answer the query, and cache the answer. It isn't hard to find a few thousand of these, so you effectively have a botnet.

From that point, you take a real botnet, or at least a few machines, and spoof a few packets. Those spoofs are a simple DNS query for the record that you cached earlier, and the spoofed return address is the victim. Repeat on a massive scale, and the victim is flooded with huge DNS traffic.

With the overhead of TCP sucking up CPU time, and an amplification factor of tens to hundreds, you can take a few meg of traffic and turn it into gigs. The victim is flooded into the ground, and there is squat all they can do other than sit it out and wait. DNS amplification attacks are quite effective and fairly easy to pull off, just what we all need for a safe and happy internet. µ

Carigamers

DNS Amplification Attacks
« on: August 07, 2006, 09:52:35 AM »

 


* ShoutBox

Refresh History
  • Crimson609: yea everything cool how are you?
    August 10, 2022, 07:26:15 AM
  • Pain_Killer: Good day, what's going on with you guys? Is everything Ok?
    February 21, 2021, 05:30:10 PM
  • Crimson609: BOOM covid-19
    August 15, 2020, 01:07:30 PM
  • Shinsoo: bwda 2020 shoutboxing. omg we are in the future and in the past at the same time!
    March 03, 2020, 06:42:47 AM
  • TriniXjin: Watch Black Clover Everyone!
    February 01, 2020, 06:30:00 PM
  • Crimson609: lol
    February 01, 2020, 05:05:53 PM
  • Skitz: So fellas how we go include listing for all dem parts for pc on we profile but doh have any place for motherboard?
    January 24, 2020, 09:11:33 PM
  • Crimson609: :ph34r:
    January 20, 2019, 09:23:28 PM
  • Crimson609: Big up ya whole slef
    January 20, 2019, 09:23:17 PM
  • protomanex: Gyul like Link
    January 20, 2019, 09:23:14 PM
  • protomanex: Man like Kitana
    January 20, 2019, 09:22:39 PM
  • protomanex: Man like Chappy
    January 20, 2019, 09:21:53 PM
  • protomanex: Gyul Like Minato
    January 20, 2019, 09:21:48 PM
  • protomanex: Gyul like XJin
    January 20, 2019, 09:19:53 PM
  • protomanex: Shout out to man like Crimson
    January 20, 2019, 09:19:44 PM
  • Crimson609: shout out to gyal like Corbie Gonta
    January 20, 2019, 09:19:06 PM
  • cold_187: Why allur don't make a discord or something?
    December 03, 2018, 06:17:38 PM
  • Red Paradox: https://www.twitch.tv/flippay1985 everyday from 6:00pm
    May 29, 2018, 09:40:09 AM
  • Red Paradox: anyone play EA Sports UFC 3.. Looking for a challenge. PSN: Flippay1985 :)
    May 09, 2018, 11:00:52 PM
  • cold_187: @TriniXjin not really, I may have something they need (ssd/ram/mb etc.), hence why I also said "trade" ;)
    February 05, 2018, 10:22:14 AM

SimplePortal 2.3.3 © 2008-2010, SimplePortal