Almost every IT specialist knows that open recursive DNS server can be very dangerous but I’ve never seen any example what happens and how fast it will be utilized in inappropriate way. These were interesting questions for me and I decided to make a small study and opened my DNS server for everybody in Internet. The results were amazing. In this article you can read about my study.
Short overview of the DNS protocol and DNS based attacks.
DNS is used for transforming human readable domain names (e.g. ipvm.biz) into the machine usable form of IP-addresses (e.g. 126.96.36.199). IP addresses are used for communications in Internet. Other protocols like TCP or UDP run on top of the IP protocol. TCP/IP is a stateful protocol and UDP/IP is a stateless protocol.
Attackers use such principles for DNS based attacks:
- During standard DNS resolving UDP/IP protocol is used. Computers do not establish reliable (stateful) connection with the remote DNS server and just wait some time for a response. Hackers can spoof IP-address in the IP packet;
- The size of a respond packet from DNS server usually is bigger than the size of a request. EDNS0 technology supports the size of DNS packets up to 4Kb.
At this moment about 6 million open resolvers are daily available and accessible all around the world. The table and the picture below were taken from https://dnsscan.shadowserver.org/ site which daily checks networks for open resolvers.
|Korea, Republic of||530,331|
So you can see that DNS can be easily utilized for attacks. These DNS attacks and DNS misusage are identified:
- Cache Poisoning, Man-in-the-Middle;
- DNS Amplification;
- DNS Reflection;
- Distributed reflection DoS (DrDoS);
- DNS-based exploits;
- Protocol anomalies;
- DNS tunneling;
- DNS hijacking;
- Phantom domain.
Description of my testing environment
My DNS server is located in Germany, has stable 1Gb/s Ethernet connection and for the last 4 years it served authoritative DNS. One month before the study I migrated my server to a new platform, so the IP-addresses were changed. In authoritative mode it received no more than 2 queries per second (QPS) and in average less than 0.5.
I used Infoblox Trinzic v820 as a DNS server,Infoblox Trinzic Reporting v800-1G for standard reports and my own reporting system (written by myself) for the deep data analysis. Domains which were used for attacks were blocked on a DNS Firewall. Maximum QPS rate was limited after 5 months.
I defined several questions which should be answered during the study:
- How fast will my DNS server receive first recursive query;
- How fast will it receive inappropriate requests;
- Measure medium and maximum QPS under attack;
- Find victims;
- Find infected networks;
- Find out domains and requests which are used for attacks;
- Try to identify types of the attacks;
- How long my server will be used when I turn off my open resolver.
Just for the first week my server received 416k requests for 63 domains from 1169 IPs. During 5 months (3 months it was open) it received about 46 millions requests. Below you can see the graph for the first week.
How fast will my DNS server receive first recursive query
My DNS received first recursive request from China after 1 hour 20 minutes (domain: www.google.it). I’ve checked log-files and found that my server periodically received such recursive requests before. So attackers periodically scan network and search for new vulnerable devices.
How fast will it receive inappropriate requests
First DNS-amplification attack was fixed after 1 day (domain: webpanel.sk, 300 requests).
Measure medium and maximum QPS under attack
Maximum QPS limited only by server capacity. The maximum QPS was 3080. All requests were sent with amplification. So at this moment my server utilized about 96Mb/s (3080X4Kb =96Mb/s). The graph which you can see below was produced in my analytical system. It shows maximum QPS.
Find victims and infected networks
I’m sure that 99% requests were spoofed and used for DrDoS attacks. Some domains (doleta.gov, energystar.gov, ebay.de) were used for attacks and at same moment can be also under attack. Below you can see information about attacked countries and cities. Information about countries and cities can be easily extracted from MaxMind IP geolocation database.
In table below you can find information about attacked companies. This information was extracted from whois service and ripe database. The most interesting rows in the table are “Time Warner Cable Internet LLC”, “Akamai Technologies, Inc.” and “AT&T Internet Services”. The quantity of the requests is relatively small but the quantity of the IP-addresses is very high. It can means that the networks of these organizations were infected with a malware or a botnet. The most interesting thing to find the control center of such botnet but it is hard to detect. In this case we have to analyze all requests and try to IPs which requested small q-ty domains. Thresholds are unknown.
|Country||Company||Q-ty requests||Q-ty IPs|
|United States||SoftLayer Technologies Inc.||3965202||36|
|United States||SingleHop, Inc.||2617987||27|
|United States||PSINet, Inc.||1994461||22|
|United Kingdom||Hosting Services Inc||938367||4|
|Germany||1&1 Internet AG||761020||12|
|United States||PrivateSystems Networks||748641||4|
|Russian Federation||OJSC Rostelecom Ticket 09-39331, RISS 15440, UrF||687028||1|
|United States||Time Warner Cable Internet LLC||671211||1568|
|Canada||OVH Hosting, Inc.||592920||213|
|United States||Akamai Technologies, Inc.||176327||4410|
|United States||AT&T Internet Services||27502||854|
Find out domains and requests which are used for attacks
Attackers used about 15 different domains for attacks. So it is relatively simple to identify and block such domains. Information about domains and requests are available in table below.
Try to identify types of the attacks
During the study I identified DrDoS, Protocol anomalies and maybe Cache Poisoning. A graph below clearly shows an amplification attack. Blue line is an incoming traffic and yellow is an outgoing traffic. For DrDoS attacks used “ANY” request with EDNS0. Below you can see information about request types and used flags.
DNS server statistics contained information about several requests with wrong port and query ID. So it looks like that somebody tried to poison the cache. These requests can rely to the Cache poisoning or NXDOMAIN attacks:
How long my server will be used when I turn off my open resolver
When I turned off open resolver it received inappropriate requests during next 1.5 months.
- Any DNS server is a cool tool for analyzing users and malware behavior;
- Analysis of DNS-logs can improve quality of DNS service;
- A lot of requests «ANY +E» shows that your server is under an attack/participate in an attack;
- Small quantity of domains are used for attacks. You can block it with blacklists or DNS Firewall and decrease load of DNS Servers and network utilization;
- Long DNS-names used for attacks. You should check client if it is possible.
And in the end I want to share my short video about DNS attacks. Have fun!
(с) Vadim Pavlov