DNS Reflective Attacks
by Lior Rozen
A DNS reflective attack is used in many distributed denial-of-service (DDoS) attacks to knock down an internet pipe. The attack is a two-step attack; the attacker sends a large amount of requests to one or more legitimate DNS servers while using spoofed source IP of the target victim. The DNS server receiving the semi-legitimate requests replies to the spoofed IP, thereby unknowingly launching an attack on the target victim with responses to requests that the victim never sent.
The internet is full of DNS servers offered as open-resolvers which will serve any request sent to them, some reports name millions as the amount. This huge number makes it very hard to pre-identify the attack using IP reputation. Furthermore, the servers are actually legitimate servers that usually send legitimate traffic, making any IP reputation service confused about whether or not their nature is malicious.
Most DNS queries are sent using UDP, a protocol that does not enable source IP validation. This is why the intermediary DNS server assumes the requests are arriving from the victim and sends the replies back to him. The IP spoofing makes it extremely difficult for the victim server to detect the attacker, as it appears as if it is being attacked by a legitimate DNS server, and the attacker IP is completely hidden. IP spoofing also invalidates IP reputation services, which, if not written properly, may assign a bad reputation to a legitimate DNS server. It also removes any tractability for security expects trying to identify the attack source.
Read more: http://ow.ly/ILo1306TYL6