DNS Reflection attack


The part I got so far was “swamping an ip address with requests that are far too big” but I feel like I’m missing out on the detailed info.

How does a DNS Reflection attack actually take place, and why does it work like it does?

In: Technology

There are 3 parties in this attack: the attacker and the victim, plus a (relatively) innocent DNS server.

Attacker sends a request to the DNS server requesting information, but forges the source IP address of the request to the that of the victim as though the victim requested the information. This request packet might be around 50-60 bytes large. Important to note this same request is sent over and over again non-stop at the attacker’s maximum transmit speeds.

The DNS server responds with the answer to the query, but the information contained within is much larger. One simple example is the query for type “ANY” on isc.org which returns about 446 bytes of a response packet, but it goes to the victim rather than the attacker since the original request source was forged.

So for each 60 bytes consumed by the attacker’s internet connection, 446 bytes actually hit the victim which is a 7.4x multiplication factor. So if an attacker has 100 megabit of internet available, they can use a DNS reflection attack to hit someone with 740 megabits of data. And I’m sure with some effort you could find a query that makes a much larger response. That 740 megabits comes from the DNS server’s internet connection, but big companies who have DNS servers usually have fast internet. And that’s what’s happening: the attacker is taking advantage of someone else’s internet to both hit someone with a lot of data and remain hidden themselves.

In a real attack there would be multiple DNS servers (ab)used in case one maxes out or gets pulled down.

Most ISPs do not check the source address of the packet it routes, only the destination. And DNS is mainly using UDP which does not require any handshaking to take place. So a normal DNS lookup consists of a single package from the client to the server and then the server sends a package with the response back to the address listed in the source field of the received package. A DNS reflection attack takes advantage of this by faking the source address of the first request to be that of the victim. The DNS server will then send a response to the victim thinking it was the source of the original request. And because DNS responses are usually bigger then requests the victim will receive a lot more traffic from DNS servers then the attacker will send to the DNS servers.