2

I'm studying networking at the moment, and it just occurred to me that one can easily forge DNS requests with fake IP addresses (since they use UDP). Since DNS relies on UDP for communication, couldn't a malicious user send millions of forged requests to a DNS server (perhaps even root servers?) and easily bring it down? I can't think of a good way to prevent this either (other than switching to another protocol).

2 Answers2

3

Yes, it is possible. It's not easy to block, either, since an attacker can forge the source IP to be one of almost four billion IPs. However, a lot of attacks such as this can be filtered by examining the DNS data inside the datagram. A lot of flood attacks either use invalid data or use the same data over and over again. This can be used to differentiate the valid traffic from invalid traffic if you have network equipment capable of deep packet inspection. The attack will still use quite a bit of your bandwidth, but you can at least keep it from overloading your nameserver.

Normally, though, the nameserver itself is not the target for these sorts of attacks. Instead of using a random source IP, the source IP is set to that of the real target: a DNS reflection attack. Very short questions resulting in long answers are sent to the nameserver, and the nameserver sends the answer to the target IP address, flooding it with traffic. This is easier to filter on the nameserver side since it appears as a single source since it is so targeted.

Cakemox
  • 24,141
  • 6
  • 41
  • 67
  • DNS amplification was used in the last couple of years to attack a number of sites. Quick action on the part of system administrators to disable recursive queries from the Internet made this kind of attack more difficult. I now run a split DNS configuration in Bind. – BillThor Mar 02 '11 at 15:52
0

Like any other DoS attack there is no prevention or protection method, the only tool you have is to add null routes from the source IP addresses. Even if your router is blocking the traffic you are still wasting the incoming bandwidth and hence denying other users access to the service.

Ultimately you need to contact the Internet organisations closer to the source to similarly cut the source off the Internet.

So to answer the question all you can really do is provision the service sufficient that one host cannot DoS you, but ask yourself what happens when a botnet starts a DoS? The scale of hosts make it impossible to have protection scheme that doesn't also affect regular users.

Steve-o
  • 829
  • 6
  • 12