DNS amplification attack

DNS 증폭은 DNS 확인자를 이용해 트래픽으로 피해자를 압도하는 DDoS공격입니다.

학습 목표

이 글을 읽은 후에 다음을 할 수 있습니다:

  • DNS 증폭 공격의 정의
  • DNS 증폭 공격의 작동 방식 설명
  • DNS 증폭 공격에 대한 몇 가지 완화 전략 이해

글 링크 복사

DNS 증폭 공격이란 무엇입니까?

DDoS 공격은 공격자가 개방된 DNS 확인자의 기능을 활용하여 증폭된 트래픽 양으로 대상 서버 또는 네트워크를 압도하고 서버 및 주변 인프라에 액세스할 수 없도록 하는 반사 기반 DDoS 공격입니다.

DNS 증폭 공격의 작동 방식

All amplification attacks exploit a disparity in bandwidth consumption between an attacker and the targeted web resource. When the disparity in cost is magnified across many requests, the resulting volume of traffic can disrupt network infrastructure. By sending small queries that result in large responses, the malicious user is able to get more from less. By multiplying this magnification by having each bot in a botnet make similar requests, the attacker is both obfuscated from detection and reaping the benefits of greatly increased attack traffic.

DNS 증폭에서의 봇은 식당에 전화해 "거기 있는 메뉴를 모두 1인분씩 주문할 테니 내게 전화해서 내가 주문한 걸 다 말해주세요"라고 말하는 악동을 생각하면 됩니다. 식당에서 어디로 전화하냐고 물을 때 목표 피해자의 전화번호를 알려주는 것입니다. 그러면 목표 피해자는 식당으로부터 본인이 요청하지도 않은 엄청난 양의 정보를 받게 됩니다.

As a result of each bot making requests to open DNS resolvers with a spoofed IP address, which has been changed to the real source IP address of the targeted victim, the target then receives a response from the DNS resolvers. In order to create a large amount of traffic, the attacker structures the request in a way that generates as large a response from the DNS resolvers as possible. As a result, the target receives an amplification of the attacker’s initial traffic, and their network becomes clogged with the spurious traffic, causing a denial-of-service.

DNS 증폭 DDoS 공격 도표

NTP 증폭 공격은 다음의 네 단계로 나누어 볼 수 있습니다.

  1. 공격자는 손상된 엔드포인트를 사용하여 UDP 패킷과 스푸핑된 IP 주소와 DNS 재귀자에게 전송합니다. 패킷에 포함된 스푸핑된 주소는 피해자의 실제 IP 주소를 가리킵니다.
  2. 모든 UDP 패킷이 각각 DNS 확인자에 요청을 하며, 대개는 "ANY" 인수를 전달하여 가능한 한 가장 큰 응답을 수신한다.
  3. DNS 확인자는 요청을 수신하면, 응답을 통해 도움을 주고자 하므로 스푸핑된 IP 주소로 많은 양의 응답을 보냅니다.
  4. 목표 피해자의 IP 주소는 이 응답을 수신하게 되고 주변 네트워크 인프라가 이러한 트래픽의 폭주로 인해 압도되어 서비스 거부가 발생하게 됩니다.

소수의 요청으로는 네트워크 인프라를 중단시킬 수 없지만, 다수의 요청과 다수의 DNS 확인자를 이용해 이러한 과정을 증폭시키면, 목표 피해자가 받는 데이터의 양은 막대하게 증폭됩니다. 반사 공격의 기술적 세부 사항 알아보기.

DNS 증폭 공격의 완화 방식

For an individual or company running a website or service, mitigation options are limited. This comes from the fact that the individual’s server, while it might be the target, is not where the main effect of a volumetric attack is felt. Due to the high amount of traffic generated, the infrastructure surrounding the server feels the impact. The Internet Service Provider (ISP) or other upstream infrastructure providers may not be able to handle the incoming traffic without becoming overwhelmed. As a result, the ISP may blackhole all traffic to the targeted victim’s IP address, protecting itself and taking the target’s site off-line. Mitigation strategies, aside from offsite protective services like Cloudflare DDoS protection, are mostly preventative Internet infrastructure solutions.

개방 DNS 확인자 감축

An essential component of DNS amplification attacks is access to open DNS resolvers. By having poorly configured DNS resolvers exposed to the Internet, all an attacker needs to do to utilize a DNS resolver is to discover it. Ideally, DNS resolvers should only provide their services to devices that originate within a trusted domain. In the case of reflection based attacks, the open DNS resolvers will respond to queries from anywhere on the Internet, allowing the potential for exploitation. Restricting a DNS resolver so that it will only respond to queries from trusted sources makes the server a poor vehicle for any type of amplification attack.

소스 IP 검증 - 스푸핑된 패킷이 네트워크 바깥으로 나가지 못하게 합니다

Because the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the victim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for Internet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent from inside the network with a source address that makes it appear like it originated outside the network, it’s likely a spoofed packet and can be dropped. Cloudflare highly recommends that all providers implement ingress filtering, and at times will reach out to ISPs who are unknowingly taking part in DDoS attacks and help them realize their vulnerability.

Cloudflare의 DNS 증폭 공격 완화 방식

With a properly configured firewall and sufficient network capacity (which isn't always easy to come by unless you are the size of Cloudflare), it's trivial to block reflection attacks such as DNS amplification attacks. Although the attack will target a single IP address, our Anycast network will scatter all attack traffic to the point where it is no longer disruptive. Cloudflare is able to use our advantage of scale to distribute the weight of the attack across many Data Centers, balancing the load so that service is never interrupted and the attack never overwhelms the targeted server’s infrastructure. During a recent six month window our DDoS mitigation system "Gatebot" detected 6,329 simple reflection attacks (that's one every 40 minutes), and the network successfully mitigated all of them. Learn more about Cloudflare's advanced DDoS Protection.