Distributed Denial-of-Service attack is a specific way to tear down a remote service by sending to it attacks from multiple points of the network. By involving numerous sources initiating the attack to the attack pattern itself, the target will have far more difficulty stopping the sources. When using firewalls, IP routing rules, IPS, WAF or even reverse proxy, single-source DOS are more simple to stop than DDoS. For obvious technical reasons, some protocols are not connected and are used mainly for testing or network service functioning, making them good vectors for DDoS attacks. The most common are: 1- Smurf Attack (using ICMP), 2- Fraggle Attack (using UDP ECHO & CHARGEN services), 3- DNS amplification (using DNS/UDP).
DNS is a protocol mainly using UDP (and only UDP at the beginning) for low code format, network consumption and performance ratio. It is also a well known protocol for performing powerful DDoS attacks. These attacks can target either a DNS server or an IP address seen as a target.
- In the first case the main objective is to prevent the DNS server from performing its answering job, this will impact all its clients which may represent a huge number if we are looking at internet DNS authoritative servers as potential targets.
- In the second case, DNS servers will be used to forge answers towards a specific target, the objective is to consume all the internet network bandwidth of the target IP address and suppress it from the network.
DNS is interesting because it uses mainly UDP for functioning. A UDP source IP address can be forged into that of the target client (IP spoofing) and a legitimate request (from a protocol standpoint) will be answered by a server towards this forged address. The target client will then receive the amplified answer and consume resources to handle it, either from a network viewpoint (upper bandwidth consumption), at a firewall level trying to match the answer with a previous query (which is nonexistent) or in the operating system. In addition to this travel path, DNS servers can answer a single query with a large amount of data – this DNS amplification attack is quite interesting because the consumption of resources at the attacker level is low and the impact at the target is high.
For example, the answer to a TXT DNS request on the record office.com is 516 bytes long but the query is only around 60 bytes. It is technically possible to perform an attack consuming 1 Gbps of traffic using only 50 compromised clients sending 10 requests per second towards 500 open recursive DNS servers (there are currently around 175K such servers in Japan and 259K in France). One Gbps of traffic may seem low, but with 10 or 50 of these most of the enterprise services hosted on a company’s infrastructure are taken down.
Fortunately some protection exists on Internet networks that complicate the work of attackers (e.g. Unicast Reverse Path Forwarding – uRPF) but as long as they are using legitimate traffic they will find a way to perpetrate their attacks. The low price on the black market for a DDoS attack at around $1000 for a week demonstrates how easy it is (see DDoS-for-Hire Service on your favorite search engine).
Some DNS attacks can also target internal recursive DNS servers which are less open to distributed attacks because more often DDoS are sent from the Internet using compromised devices and servers. Even if a malware can spread inside an enterprise, make east-west moves and perform a distributed attack towards the internal recursive server, it is less common because it’s less valuable on the black market. This kind of target set for internal attacks is more difficult to sell on the darkweb since it will be probably preferred for perpetuating attacks toward a specific target located on the internet. For an ISP the recursive server can be accessed by clients and since they may be numerous, such attacks can be envisioned, this is why ISPs are looking at performances, burst capacities and client behaviour analysis to protect themselves from their clients.
Famous DDoS attacks:
- The BBC website and internet radio system were attacked on December 31st, 2015 by an aggressive DDoS which reached around 600 Gbps of traffic (see ‘Anti-IS group’ claims BBC website attack). This attack was perpetuated by a US group called New World Hacking which experimented its techniques on the BBC in preparation for other real attacks. At that time, most DDoS attacks were performed using the well known XOR DDoS Botnet that uses in most cases DNS and TCP SYN attacks.
- Dyn cyberattack on Friday October 21st, 2016. Two massive DDoS attacks were conducted using mainly the famous Mirai botnet with probably around 100,000 malicious endpoints. This attack directly targeting the authoritative DNS service had a huge impact on most of the sites and services using DYN as their provider. Operations on sites such as Twitter, Spotify, and Amazon were directly impacted for around 2 hours.
- DDoS attack on October 20th, 2019 towards Amazon AWS Route 53 and some services relying on DNS resolution like object store S3, Database Service (RDS), Elastic Compute Cloud (EC2) and Elastic Load Balancing (ELB) and Simple Queue Service (SQS). The attack lasted around 8 hours before anti-DDoS systems from AWS could stop it, meaning the impact to AWS users was quite high.