DNS amplification attack

DNS 是放大一種 DDoS 攻擊,它利用 DNS 解析器產生大量流量,使受害者不堪重負。

學習目標

閱讀本文後,您將能夠:

  • 定義 DNS 放大攻擊
  • 解釋 DNS 放大攻擊的原理
  • 了解針對 DNS 放大攻擊的一些緩解策略

複製文章連結

什麼是 DNS 放大攻擊?

這種 DDoS 攻擊是基於反射的大規模分散式阻斷服務 (DDoS) 攻擊,其中,攻擊者利用開放 DNS 解析器的功能產生大量流量,使目標伺服器或網路不堪重負,導致伺服器及其周圍基礎設施無法存取。

DNS 放大攻擊的原理是什麼?

All amplification attacks exploit a disparity in bandwidth consumption between an attacker and the targeted web resource. When the disparity in cost is magnified across many requests, the resulting volume of traffic can disrupt network infrastructure. By sending small queries that result in large responses, the malicious user is able to get more from less. By multiplying this magnification by having each bot in a botnet make similar requests, the attacker is both obfuscated from detection and reaping the benefits of greatly increased attack traffic.

對於 DNS 放大攻擊中的一個機器人,可比作一個懷有惡意的青少年電話給一個餐廳說,「我要每樣東西都點一份,請給我回電並告訴我整個訂單的內容。」餐廳要求提供回撥號碼時,所給號碼就是目標受害人的電話號碼。然後目標會接到來自餐廳的電話,提供其并未請求的大量信息。

As a result of each bot making requests to open DNS resolvers with a spoofed IP address, which has been changed to the real source IP address of the targeted victim, the target then receives a response from the DNS resolvers. In order to create a large amount of traffic, the attacker structures the request in a way that generates as large a response from the DNS resolvers as possible. As a result, the target receives an amplification of the attacker’s initial traffic, and their network becomes clogged with the spurious traffic, causing a denial-of-service.

DNS 放大 DDoS 攻擊圖表

DNS 放大可分為四步:

  1. 攻擊者使用受損的端點將有欺騙性 IP 位址的 UDP 封包發送到 DNS 遞迴程式。封包上的欺騙性位址指向受害者的真實 IP 位址。
  2. 每個 UDP 封包都向 DNS 解析器發出請求,通常傳遞一個參數(例如“ANY”)以接收盡可能最大的回應。
  3. DNS 解析器收到請求後,會向欺騙性 IP 位址發送大規模回應。
  4. 目標的 IP 位址接收響應,其周邊的網路基礎設施被大量流量淹沒,從而導致阻斷服務。

儘管少量請求不足以導致網路基礎設施下線,但在這一過程通過多個請求和 DNS 解析器翻倍後,目標最終接收的資料量變得非常大。進一步瞭解反射攻擊的技術詳情

如何緩解 DNS 放大攻擊?

For an individual or company running a website or service, mitigation options are limited. This comes from the fact that the individual’s server, while it might be the target, is not where the main effect of a volumetric attack is felt. Due to the high amount of traffic generated, the infrastructure surrounding the server feels the impact. The Internet Service Provider (ISP) or other upstream infrastructure providers may not be able to handle the incoming traffic without becoming overwhelmed. As a result, the ISP may blackhole all traffic to the targeted victim’s IP address, protecting itself and taking the target’s site off-line. Mitigation strategies, aside from offsite protective services like Cloudflare DDoS protection, are mostly preventative Internet infrastructure solutions.

減少開放 DNS 解析器的總數

An essential component of DNS amplification attacks is access to open DNS resolvers. By having poorly configured DNS resolvers exposed to the Internet, all an attacker needs to do to utilize a DNS resolver is to discover it. Ideally, DNS resolvers should only provide their services to devices that originate within a trusted domain. In the case of reflection based attacks, the open DNS resolvers will respond to queries from anywhere on the Internet, allowing the potential for exploitation. Restricting a DNS resolver so that it will only respond to queries from trusted sources makes the server a poor vehicle for any type of amplification attack.

源 IP 驗證 —— 阻止僞造封包離開網路。

Because the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the victim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for Internet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent from inside the network with a source address that makes it appear like it originated outside the network, it’s likely a spoofed packet and can be dropped. Cloudflare highly recommends that all providers implement ingress filtering, and at times will reach out to ISPs who are unknowingly taking part in DDoS attacks and help them realize their vulnerability.

Cloudflare 如何緩解 DNS 放大攻擊?

With a properly configured firewall and sufficient network capacity (which isn't always easy to come by unless you are the size of Cloudflare), it's trivial to block reflection attacks such as DNS amplification attacks. Although the attack will target a single IP address, our Anycast network will scatter all attack traffic to the point where it is no longer disruptive. Cloudflare is able to use our advantage of scale to distribute the weight of the attack across many Data Centers, balancing the load so that service is never interrupted and the attack never overwhelms the targeted server’s infrastructure. During a recent six month window our DDoS mitigation system "Gatebot" detected 6,329 simple reflection attacks (that's one every 40 minutes), and the network successfully mitigated all of them. Learn more about Cloudflare's advanced DDoS Protection.