2

I am reading a survey on DDoS attacks and they describe how these attacks can be classified by either Network/Transport level attacks and Application level attacks. In their examples, they classify DNS flooding as network/transport and DNS amplification as application level. I am not entirely understanding the difference and in my view, am questioning why DNS amplification is not a network/transport layer attack as well.

From my understanding, in DNS flooding, you have distributed bots flooding UDP queries essentially, overwhelming the bandwidth such that legitimate users cannot send their on requests. In DNS amplification, you are spoofing the victim's IP in a DNS request such that when the response comes in, its a multiple times in size going back to the victim. From what I understand this is not exactly targeting any application (such as HTTP floods) and rather both examples are compromising the network resources rather than a victim's system resources. How exactly is DNS amplification considered an application level attack?

Link to survey: http://d-scholarship.pitt.edu/19225/1/FinalVersion.pdf

dapirateking
  • 71
  • 5
  • 1
    Please provide a link to the survey and/or cite the full context instead of replicating what you've read in your own words. There are definitely different opinions which treat DNS amplification as network layer since while they use the application layer for the attack they target the network layer only. – Steffen Ullrich Apr 07 '18 at 09:19

1 Answers1

1

Yes, you've understood it correctly (except for a few details, see below) and the authors of the survey you've linked to are wrong. Or at least, if they have even really had some bright idea behind that paragraph, they have failed to present it right.

E.g. there definitely exists an approach to classify DDoS attacks based on the vulnerable protocol layer. In that way, UDP flood is a transport layer attack and DNS amplification is application layer, though from the victim's point of view in both cases it's the network layer which gets congested. The real world applicability of such an approach is questionable at best, but the authors of the survey don't even refer to that, they are more practical (which makes me say they have made a mistake).

One possible reason for that is that the paragraph which discusses DNS amplification refers to some articles dating back to 2004. Since that time, quite a lot of DDoS-related events have happened, so it's probably best to find something more up-to-date to read.

My two cents though:

  • It's more proper to call that "layers", not "levels";

  • An attacker doesn't actually need bots to do UDP-based DNS flooding. A couple of servers connected to a network with a good bandwidth and no RPF will do the same trick by spoofing the IP source of the packets;

  • However, a botnet would be useful if the victim is able to do some DNS-based challenges or to simply quickly truncate the response, forcing the client to retry the DNS request via TCP (yes, DNS can operate via TCP).

Community
  • 1
ximaera
  • 3,395
  • 8
  • 23