The specification does not allow for unsolicited responses. The DNS server performs the necessary queries on behalf of the client and returns a response packet with the requested information or an error. In a typical recursive DNS query, a client sends a query request to a local DNS server requesting the resolution of a name or the reverse resolution of an IP address. This site is similar to The Measurement Factory’s ability to assess an individual resolver for vulnerability, but offers the ability to test an entire DNS Zone for several other possible configuration and security issues. Īnother freely available, web-based tool for testing DNS resolvers is DNSInspect. Finally, the site offers statistics showing the number of public resolvers detected on the different Autonomous System (AS) networks, sorted by the highest number found. This will allow an administrator to determine if configuration changes are required and verify that configuration changes have been successful.
AMPLIFICATION DDOS ATTACK TOOL FREE
In addition, the Measurement Factory offers a free tool to test a single DNS resolver to determine if it allows open recursion.
Like the Open DNS Resolver Project, the Measurement Factory maintains a list of Internet accessible DNS servers and allows administrators to search for open recursive resolvers. The query interface allows network administrators to enter IP ranges in CIDR format. The Open DNS Resolver Project has compiled a list of DNS servers that are known to serve as globally accessible open resolvers. These tools will scan entire network ranges and list the address of any identified open resolvers. Several organizations offer free, web-based scanning tools that will search a network for vulnerable open DNS resolvers. While it is not easy to identify authoritative name servers used in DNS reflection attacks as vulnerability is not caused by a misconfiguration, there are several freely available options for detecting open recursive resolvers. In the case of authoritative servers, mitigation should focus on using Response Rate Limiting to restrict the amount of traffic. The attack method is similar to open recursive resolvers, but is more difficult to mitigate since even a server configured with best practices can still be used in an attack. While the most common form of this attack that US-CERT has observed involves DNS servers configured to allow unrestricted recursive resolution for any client on the Internet, attacks can also involve authoritative name servers that do not provide recursive resolution. While the attacks are difficult to stop, network operators can apply several possible mitigation strategies. Additionally, because the responses are legitimate data coming from valid servers, it is extremely difficult to prevent these types of attacks. By leveraging a botnet to produce a large number of spoofed DNS queries, an attacker can create an immense amount of traffic with little effort.
Because the size of the response is considerably larger than the request, the attacker is able to increase the amount of traffic directed at the victim. In most attacks of this type observed by US-CERT, the spoofed queries sent by the attacker are of the type, “ANY,” which returns all known information about a DNS zone in a single request.
Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect. When the DNS server sends the DNS record response, it is sent instead to the target. The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target’s address. A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS), in which attackers use publically accessible open DNS servers to flood a target system with DNS response traffic.
0 kommentar(er)
