DNS stands for the Domain Name System. This system translates memorized domain names to the numerical IP addresses required for locating the website with the underlying network protocols. The DNS service is highly redundant and has a multi-layered architecture. There are two types of DNS servers: authoritative and recursive. Authoritative DNS maps the domain name with the IP address while the recursive DNS cache the IP address from the authoritative DNS server. When we visit a particular website, our laptop/desktop talk to the recursive DNS for the resolution of the domain name. The recursive server will check to see if it has a cached DNS record from the authoritative nameserver, and still has a valid time-to-live (TTL). If the recursive server does not have the DNS record cached, it begins the recursive process of going through the authoritative DNS hierarchy for getting the IP address. If the authoritative DNS goes down, the recursive DNS cannot resolve the domain name and our desktops will not be able to connect to the website as they will not know which IP to connect to. The unavailability of DNS server will hamper the connectivity to the internet.
Methodology of Attack: The latest attack on the Dyn: a major DNS service provider is one of the example where unavailability of DNS service impacted the connection of primarily North America to the internet. Although it is difficult to DDoS DNS servers because of its redundant nature but it is possible if authoritative DNS servers is targeted. The easiest way is through “DNS Reflection based DDoS attack”. In the scenario of attack the attacker pretends to be recursive DNS servers and floods the authoritative DNS with fake requests in order to bring it down. In the case of Dyn, the attack targeted DNS servers in US east. Owing to the redundant nature of the DNS service where multiple authoritative DNS server store the IP address of the domain name across the world, left rest of the world unaffected. Although, an attacker can simultaneously attack all redundant servers but then nothing stops DNS providers to also spin off more redundant DNS server either (albeit at a cost). DDoS is launched by botnet that are multiple compromised device called bots. These bots run malware that perpetrate the attack. Recently, insecure IoT devices are being used to launch powerful DDoS attacks. Last month in September there was a DDoS of 1 Tbps on OVH that used compromised security cameras and DVR to launch the attack. There are many types of DDoS attacks such as volumetric attack, protocol based attacks and application based attacks. Reflection and amplification DDoS attacks comes in the category of the volumetric attacks. Now a days, attacker use multiple vectors to launch a power DDoS attack.
Tracing back to the attacker: One of the major challenge with DDoS is tracking the attacker as they never send attack traffic directly to the targeted servers. They make requests to genuine/fake DNS resolvers which in turn makes request to the targeted authoritative DNS servers. When the operator looks for the source of the attack, he gets the IP address of the DNS resolvers and not the attacker.
The Defense: There are few defense approaches used to combat DDoS attacks but neither of them is perfect. Actions of defence should happen at 2 to 3 levels. ISPs have a big role to play, apart from victims. One approach of defense is to have a slightly modified DNS firewall, the other is keeping track of good open DNS resolvers. Both if work in conjuncture can minimize collateral damage. Other technique require IT networking expertise such as re-routing the traffic between redundant authoritative DNS resolves, modifying the TTL values, etc. All these approaches require manual efforts depending on the preparedness of the victim and the complexity of the attack.
The recent attack highlights it is the need of the hour that manufacturers and consumers both care for the IoT security.
Anshul Saxena (CEO HaltDos https://www.haltdos.com/)
Madhvi Gupta (Consultant)