A leveraged attack against DNS Cache servers

Source: Internet
Author: User

Today, I found a domestic machine with abnormal traffic. I found that the DNS Cache service running on this machine was used as an amplification lever for attacks. Let's take a look at it. When a traffic exception is detected, check the TCP session on the server first, and find some abnormal things. After the service is disabled, the traffic decreases, but it still does not return to the normal level. So listen to the package. A large film was found: 07:39:53. 271744 IP 158. XX. XX.238.53019> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 271772 IP 158. XX. XX.238.53019> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 271784 IP 158. XX. XX.238.53019> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 271792 IP 158. XX. XX.238.53019> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 274225 IP 92. XX. xx.148.20.50> XX. XX.53: 23600 + [1au] ANY? Isc.org. (36) 07:39:53. 274252 IP 92. XX. xx.148.20.50> XX. XX.53: 23600 + [1au] ANY? Isc.org. (36) 07:39:53. 274262 IP 92. XX. xx.148.20.50> XX. XX.53: 23600 + [1au] ANY? Isc.org. (36) 07:39:53. 274270 IP 92. XX. xx.148.20.50> XX. XX.53: 23600 + [1au] ANY? Isc.org. (36) 07:39:53. 291822 IP 158. XX. XX.238.13616> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 291850 IP 158. XX. XX.238.13616> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 291860 IP 158. XX. XX.238.13616> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 291869 IP 158. XX. XX.238.13616> XX. XX.53: 56854 + [1au] ANY? Isc.org. (36) 07:39:53. 291877 IP 92. XX. XX.148.56278> XX. XX.53: 23600 + [1au] ANY? Isc.org. (36) Obviously, It is abnormal to repeatedly query the same domain name from the same IP address in a short time. Why isc.org? It is unclear for the moment, but such behavior is obviously using this machine as a lever to enlarge the attack. The attacker sends a DNS query packet that is forged into the final victim as the source IP address (the size of this packet is much smaller than the response) to the victim DNS Cache Server, because these cache servers already have a copy of the domain name information found locally (these domain names exist), they will immediately respond to the final victims. In this way, attackers can use a small bandwidth to occupy the downstream bandwidth of the final victim and implement DDoS attacks. Due to DDoS attacks, it is not easy for the defender to block such attacks. However, in traditional network design, DNS Cache servers are stored in DMZ, therefore, you can directly filter out all external DNS response packets on the route to mitigate the impact of such attacks. For the administrator who runs the DNS Cache Server, access to the self-running DNS cache server should be restricted. For example, only the Intranet interface can listen to DNS query requests, the Internet interface is only used to send DNS requests and receive responses to these requests, so as to avoid being exploited by the bad guys as a DDoS lever.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.