Analysis of DNS amplification attack principles

Like smurf

Currently, many DNS servers support EDNS. EDNS is an extended DNS mechanism, which is introduced in RFC 2671. Some options allow the DNS to reply to more than 512 bytes and still use UDP, if the requestor points that it can handle such a large DNS query. Attackers have used this method to produce a large amount of communication. By sending a query of 60 bytes to obtain a record of about 4000 bytes, attackers can increase the communication volume by 66 times. Some of these attacks have produced a lot of traffic per second, and even more than 10 GB of traffic per second.

To implement such an attack, the attacker first needs to find several third-party DNS servers (most DNS servers have such settings) that represent someone on the Internet performing cyclic queries ). Because circular query is supported, attackers can send a query to a DNS server, which then sends the query (in a circular manner) to a DNS server selected by the attacker. Next, attackers send a DNS record query to these servers, which is controlled by attackers on their own DNS servers. Because these servers are set to loop queries, these third-party servers send these requests back to attackers. The attacker stored a 4000-byte text on the DNS server for this DNS amplification attack.

Because the attacker has added a large number of records to the cache of a third-party DNS server, the attacker then sends DNS query information to these servers (with the EDNS option to enable a large number of replies ), in addition, the DNS server uses spoofing methods to make the DNS server think that the query information is sent from the IP address that the attacker wants to attack. These third-party DNS servers use the 4000-byte text record to reply, and flood victims with a large number of UDP packets. Attackers send millions of small and fraudulent queries to third-party DNS servers, which will use a large number of DNS response packets to overwhelm the victim.