DNS amplification attack

DNS 放大是 DDoS 攻击的一种,它利用 DNS 解析器产生大量流量,使受害者不堪重负。

学习目标

阅读本文后,您将能够:

  • 定义 DNS 放大攻击
  • 说明 DNS 放大攻击的工作原理
  • 了解 DNS 放大攻击的几种缓解策略

复制文章链接

什么是 DNS 放大攻击?

这种 DDoS 攻击是基于反射的大规模分布式拒绝服务 (DDoS) 攻击,其中,攻击者利用开放 DNS 解析器的功能产生大量流量,使目标服务器或网络不堪重负,导致服务器及其周围基础设施无法访问。

DNS 放大攻击的工作原理是什么?

All amplification attacks exploit a disparity in bandwidth consumption between an attacker and the targeted web resource. When the disparity in cost is magnified across many requests, the resulting volume of traffic can disrupt network infrastructure. By sending small queries that result in large responses, the malicious user is able to get more from less. By multiplying this magnification by having each bot in a botnet make similar requests, the attacker is both obfuscated from detection and reaping the benefits of greatly increased attack traffic.

在 DNS 放大攻击中,其中一个机器人好比是一个心怀恶意的青少年打电话给一家餐厅,说“我要每样东西点一份,请给我回电话,告诉我整个订单”。当餐厅询问回电号码时,提供的是目标受害者的电话号码。然后目标会接到来自餐厅的电话,提供其并未请求的大量信息。

As a result of each bot making requests to open DNS resolvers with a spoofed IP address, which has been changed to the real source IP address of the targeted victim, the target then receives a response from the DNS resolvers. In order to create a large amount of traffic, the attacker structures the request in a way that generates as large a response from the DNS resolvers as possible. As a result, the target receives an amplification of the attacker’s initial traffic, and their network becomes clogged with the spurious traffic, causing a denial-of-service.

DNS 放大 DDoS 攻击示意图

DNS 放大可分为四个步骤:

  1. 攻击者使用受损的端点将有欺骗性 IP 地址的 UDP 数据包发送到 DNS 递归服务器。数据包上的欺骗性地址指向受害者的真实 IP 地址。
  2. 每个 UDP 数据包都向 DNS 解析器发出请求,通常传递一个参数(例如“ANY”)以接收尽可能最大的响应。
  3. DNS 解析器收到请求后,会向欺骗性 IP 地址发送较大的响应。
  4. 目标的 IP 地址接收响应,其周边的网络基础设施被大量流量淹没,从而导致拒绝服务。

尽管少量请求不足以导致网络基础设施下线,但在这一过程通过多个请求和 DNS 解析器翻倍后,目标最终接收的数据量变得非常大。进一步了解有关反射攻击的技术细节

如何防护 DNS 放大攻击?

For an individual or company running a website or service, mitigation options are limited. This comes from the fact that the individual’s server, while it might be the target, is not where the main effect of a volumetric attack is felt. Due to the high amount of traffic generated, the infrastructure surrounding the server feels the impact. The Internet Service Provider (ISP) or other upstream infrastructure providers may not be able to handle the incoming traffic without becoming overwhelmed. As a result, the ISP may blackhole all traffic to the targeted victim’s IP address, protecting itself and taking the target’s site off-line. Mitigation strategies, aside from offsite protective services like Cloudflare DDoS protection, are mostly preventative Internet infrastructure solutions.

减少开放 DNS 解析器的总数

An essential component of DNS amplification attacks is access to open DNS resolvers. By having poorly configured DNS resolvers exposed to the Internet, all an attacker needs to do to utilize a DNS resolver is to discover it. Ideally, DNS resolvers should only provide their services to devices that originate within a trusted domain. In the case of reflection based attacks, the open DNS resolvers will respond to queries from anywhere on the Internet, allowing the potential for exploitation. Restricting a DNS resolver so that it will only respond to queries from trusted sources makes the server a poor vehicle for any type of amplification attack.

源 IP 验证 —— 阻止欺骗性数据包离开网络

Because the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the victim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for Internet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent from inside the network with a source address that makes it appear like it originated outside the network, it’s likely a spoofed packet and can be dropped. Cloudflare highly recommends that all providers implement ingress filtering, and at times will reach out to ISPs who are unknowingly taking part in DDoS attacks and help them realize their vulnerability.

Cloudflare 如何缓解 DNS 放大攻击?

With a properly configured firewall and sufficient network capacity (which isn't always easy to come by unless you are the size of Cloudflare), it's trivial to block reflection attacks such as DNS amplification attacks. Although the attack will target a single IP address, our Anycast network will scatter all attack traffic to the point where it is no longer disruptive. Cloudflare is able to use our advantage of scale to distribute the weight of the attack across many Data Centers, balancing the load so that service is never interrupted and the attack never overwhelms the targeted server’s infrastructure. During a recent six month window our DDoS mitigation system "Gatebot" detected 6,329 simple reflection attacks (that's one every 40 minutes), and the network successfully mitigated all of them. Learn more about Cloudflare's advanced DDoS Protection.