DDOS vulnerability leading to DNS Amplification attack in open DNS resolver
Original Issue Date:- October 12, 2023
Severity:- High
- Misconfigured Domain Name System (DNS) servers
Abstract:
An open DNS resolver is a DNS server that accepts recursive queries from all IPs and publicly exposed to the Internet. Thus, the simple lack of authentication allows malicious 3rd parties to propagate their payloads using your unsecured equipment. DNS Open-resolvers can be abused for DDoS reflection attacks, known as a DNS Amplification Attacks against third parties.
Technical Description:
DNS Open-resolvers are DNS servers responding to recursive queries for arbitrary domain names from anywhere on the Internet. Thus, a Domain Name Server (DNS) Amplification attack is a form of Distributed Denial of Service (DDoS), in which attackers use publically accessible open DNS servers to flood a target system with DNS response traffic. The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target’s address. When the DNS server sends the DNS record response, it is instead sent to the target. Attackers can submit a request for as much zone information as possible to maximize the amplification effect.
Vulnerability Assessment:
To verify the vulnerability, it is advised to execute the command mentioned below from external network:
Command:
- nmap -sU -p 53 -sV -P0 –script dns-recursion <IP address>
Countermeasures and Best practices for prevention:
- Disable Recursion on the DNS Server: If a DNS server in your network is not intended to receive recursive queries, recursion should be disabled on that server.
- Restrict DNS resolvers to only accept queries from specific IP addresses to prevent these attacks.
- Use Best Current Practice (BCP) #38 network ingress filtering on your network perimeter.
Solution:
Apply the best security practices available at:
References: