DNS amplification attack

La amplificación de DNS es un ataque DDoS que aprovecha los solucionadores de DNS para inundar un objetivo de tráfico.

Metas de aprendizaje

Después de leer este artículo podrás:

  • Definir un ataque de amplificación de DNS
  • Explicar cómo funciona un ataque de amplificación de DNS
  • Conocer varias estrategias de mitigación de ataques de amplificación de DNS

Copiar el enlace del artículo

¿Qué es un ataque de amplificación de DNS?

Un ataque DDoS es un ataque volumétrico de denegación de servicio distribuido (DDoS) por reflexión en el que un atacante aprovecha la funcionalidad de los solucionadores de DNS abiertos para sobrecargar una red o servidor específico con una cantidad amplificada de tráfico, lo que impide el acceso al servidor y a su infraestructura asociada.

¿Cómo funciona un ataque de amplificación de DNS?

All amplification attacks exploit a disparity in bandwidth consumption between an attacker and the targeted web resource. When the disparity in cost is magnified across many requests, the resulting volume of traffic can disrupt network infrastructure. By sending small queries that result in large responses, the malicious user is able to get more from less. By multiplying this magnification by having each bot in a botnet make similar requests, the attacker is both obfuscated from detection and reaping the benefits of greatly increased attack traffic.

Para entender el papel de un bot en un ataque de amplificación de DNS, pensemos en un adolescente con malas intenciones que llama a un restaurante, pide todo lo que incluye el menú y solicita al establecimiento que le vuelvan a llamar para que le repitan todo el pedido". Cuando el restaurante le pide el número de teléfono, el adolescente facilita el número de la víctima, quien recibe entonces una llamada del restaurante con mucha información que no solicitó.

As a result of each bot making requests to open DNS resolvers with a spoofed IP address, which has been changed to the real source IP address of the targeted victim, the target then receives a response from the DNS resolvers. In order to create a large amount of traffic, the attacker structures the request in a way that generates as large a response from the DNS resolvers as possible. As a result, the target receives an amplification of the attacker’s initial traffic, and their network becomes clogged with the spurious traffic, causing a denial-of-service.

Diagrama de ataque DDoS por amplificación de DNS

Una amplificación de DNS se puede dividir en cuatro pasos:

  1. El atacante utiliza un punto de conexión en riesgo para enviar paquetes UDP con direcciones IP falsificadas a un recursor de DNS. La dirección falsificada en los paquetes señala a la dirección IP real de la víctima.
  2. Cada uno de los paquetes UDP realiza una solicitud a un solucionador de DNS, que a menudo aprueba un argumento como "CUALQUIERA" para recibir la respuesta más extensa posible.
  3. Después de recibir las solicitudes, el solucionador de DNS, que intenta ser útil respondiendo, envía una respuesta extensa a la dirección IP falsificada.
  4. La dirección IP del servidor recibe la respuesta y la infraestructura de red asociada se ve inundada por una avalancha de tráfico, con la consiguiente denegación de servicio.

Aunque unas cuantas solicitudes no son suficientes para interrumpir la infraestructura de red, cuando esta secuencia se multiplica a través de varias solicitudes y solucionadores de DNS, la amplificación de los datos que recibe el objetivo puede ser sustancial. Más información sobre los detalles técnicos de los ataques de reflexión.

¿Cómo se mitiga un ataque de amplificación de DNS?

For an individual or company running a website or service, mitigation options are limited. This comes from the fact that the individual’s server, while it might be the target, is not where the main effect of a volumetric attack is felt. Due to the high amount of traffic generated, the infrastructure surrounding the server feels the impact. The Internet Service Provider (ISP) or other upstream infrastructure providers may not be able to handle the incoming traffic without becoming overwhelmed. As a result, the ISP may blackhole all traffic to the targeted victim’s IP address, protecting itself and taking the target’s site off-line. Mitigation strategies, aside from offsite protective services like Cloudflare DDoS protection, are mostly preventative Internet infrastructure solutions.

Reduce el número total de solucionadores DNS abiertos

An essential component of DNS amplification attacks is access to open DNS resolvers. By having poorly configured DNS resolvers exposed to the Internet, all an attacker needs to do to utilize a DNS resolver is to discover it. Ideally, DNS resolvers should only provide their services to devices that originate within a trusted domain. In the case of reflection based attacks, the open DNS resolvers will respond to queries from anywhere on the Internet, allowing the potential for exploitation. Restricting a DNS resolver so that it will only respond to queries from trusted sources makes the server a poor vehicle for any type of amplification attack.

Verifica la IP de origen. Evita que los paquetes falsificados salgan de la red

Because the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the victim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for Internet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent from inside the network with a source address that makes it appear like it originated outside the network, it’s likely a spoofed packet and can be dropped. Cloudflare highly recommends that all providers implement ingress filtering, and at times will reach out to ISPs who are unknowingly taking part in DDoS attacks and help them realize their vulnerability.

¿Cómo mitiga Cloudflare los ataques de amplificación de DNS?

With a properly configured firewall and sufficient network capacity (which isn't always easy to come by unless you are the size of Cloudflare), it's trivial to block reflection attacks such as DNS amplification attacks. Although the attack will target a single IP address, our Anycast network will scatter all attack traffic to the point where it is no longer disruptive. Cloudflare is able to use our advantage of scale to distribute the weight of the attack across many Data Centers, balancing the load so that service is never interrupted and the attack never overwhelms the targeted server’s infrastructure. During a recent six month window our DDoS mitigation system "Gatebot" detected 6,329 simple reflection attacks (that's one every 40 minutes), and the network successfully mitigated all of them. Learn more about Cloudflare's advanced DDoS Protection.

Ventas