One of the interesting things about owning a server on the Internet is trying to keep the constant barrage of attackers at bay. A few weeks back, I had been watching the raw traffic with tcpdump, trying to diagnose a problem and saw a huge number of DNS requests. A closer look revealed the queries were coming in batches of about 3000 to 5000 from the same IP address over the course of a minute or so. All of the queries were the same: an ANY request for one of the domains I host.
Coincidentally, the very next morning, I was listening to the SANS Internet Storm Center’s Stormcast Podcast at the gym when I heard Johannes mention a diary about DNS any attacks being observed.
The attack is a pretty simplistic DNS amplification DDoS. The attacker, from one or more PCs, sends out a large number of DNS ANY requests using spoofed source IP addresses, where the IP addresses they are spoofing is the intended target. The attacker gets 2 advantages from doing this:
- Amplification – the attacker is sending out relatively small DNS request packets to many DNS servers, each responding with significantly larger messages, sending the response to the victim.
- Anonymity – it’s not possible for either the victim of the DDoS attack, nor the unwitting operator of DNS servers being used, to tell where the traffic is actually coming from.
I implemented a set of IPTables firewall rules to temporarily block repeated ANY requests from the same IP in a short time frame. I decided to take a look at the logs and, over the course of the previous 7 weeks, my rule has been tripped 38,663 times by 1,704 distinct hosts. Had it not been for the firewall rule, each one of those 38,663 would have equated to 3000 to 5000 responses. Even with the firewall rule, 10 packets per event were sent – not as bad as it could be.
What was most interesting to me is the distribution of attacks:
- 80% of the attacks were against hosts in China.
- 15% were against hosts in the US
- 5% were split across roughly 20 other countries.
Since no good blog post is missing a graph, here is mine:
This is an unfortunately effective attack method. There are very few defenses against it, since it’s effectively a bandwidth exhaustion attack. Clearly the traffic reflected off my server isn’t enough to take down a site, but if an attacker is able to coordinate reflections off of thousands of thousands of DNS servers, it will inevitably fill the largest connections. I am aware of attacks that have exceeded 3Gbps against a single host.
There are a few defenses, however. First, using a services such as Akamai to host Internet facing services goes a long way, as they are more capable of riding out such attacks. Second, coordination with Internet Service Providers can to implement ACL’s in their cloud and detect/mitigate attacks that happen.
A better but much harder way to control these attacks would be for ISPs to perform egress filtering to prevent source spoofing and for operators of DNS servers to implement ACLs to detect and block attack traffic.