Many network service exceptions are often caused by Cyber-attacks, but there are many reasons for the exceptions. How to analyze and locate the reasons is the key to solving the problem. A DNS amplification attack is a DoS attack. The attacker uses a large number of controlled hosts in the botnet to pretend to be the attacked host. And it continuously sends a large number of DNS requests to multiple DNS servers that allow recursive queries at a specific point in time, forcing servers to provide response services. A large amount of response data amplified by the DNS server is sent to the attacked host to form attack traffic, which causes it to fail to provide normal service or even paralysis.

Problem Description

XX.XX.29.4 is a DNS server for a large industry client and this server needs to provide DNS services externally. Recently, the client’s network was congested, and the operation and maintenance department found that a large number of alarms were triggered in the Domain Alarm after deploying the Colasoft nChronos system.

how-to-find-dns-amplification-attacked-server-1

Analysis Procedure

IP address “198.24.157.245” sent a large number of DNS requests to the XX.XX.29.4 server in a short period of time, the requested domain name is dnsamplicationattacks.cc.

how-to-find-dns-amplification-attacked-server-2

The request packet sent by “198.24.157.245” is 101 bytes, and the response packet returned by the DNS server is 445 bytes, which amplifies the traffic by 4.4 times.

how-to-find-dns-amplification-attacked-server-3

The attacker uses a large number of controlled hosts to send DNS requests to multiple DNS servers. However, the source IP address in the DNS request is forged as the IP address which is being attacked (in this case, the IP address “198.24.157.245” is being attacked), and the DNS server returns the query result to the IP address “198.24.157.245”. Usually, the response packet will be several times or even tens of times larger than the request packet (4.4 times in this example), resulting in a traffic amplification attack on the IP address “198.24.157.245”. In this case, the client's DNS server is involved as an agent to implement this DNS amplification attack. The attack process is shown in the following figure.

how-to-find-dns-amplification-attacked-server-4

Analysis Conclusion

The attacker uses a large number of controlled hosts to send plenty of DNS requests to the DNS server (XX.XX.29.4) in a short period of time. The DNS response packet will be 4.4 times larger than the request packet, causing large traffic to be sent to the forged source IP address (198.24.157.245), forming a DoS attack on this IP address.

    We suggest our client:
  • Increase link bandwidth;
  • Close recursive query of DNS server;
  • Once a large-scale DNS amplification attack occurs, you can immediately contact the ISP to filter the attack on the upstream router (ISP network).

nChronos Value

Hackers often use the characteristics of the DNS server as an attacking amplifier. They can rely on botnets to launch attacks, creating huge attack traffic, and they are always stealthy. However, in this case, we can see that the network traffic analysis technology can find out cyber-attack behavior easily and achieve the effect of visualizing the cyber-attack. And through the packet decoding, we are able to analyze the attack method of attackers clearly. Using network traffic analysis technology, through the depth analysis of layer 2 to layer 7, accurate decoding, detailed statistical data, to protect the customer's information system and network security.

You may also like those articles:

How to Detect Routing Loops and Physical Loops

IT departments are often faced dealing with network loops and broadcast storms that are caused by user error, faulty network devices...

Read More

How to Detect Arp Attacks & Arp Flooding

During ARP attacks, users usually experience slow communication on the network and especially when communicating with the host...

Read More

How to Monitor http Traffic with Packet Sniffer

In order to monitor http traffic, we will need a packet sniffer (or a protocol analyzer) software. Here is a detail process how we can monitor...

Read More

Monitor Network Traffic

As a network analyzer (aka. packet sniffer & protocol analyzer), Capsa makes it easy to monitor and analyze network traffic in its intuitive...

Read More

How to use VoIP Analysis

Capsa provides a VoIP analysis module to capture and analyze VoIP calls and graphically display VoIP analysis results, which helps IT...

Read More

What is HTTP Sniffer

HTTP Sniffer is a HTTP packet sniffer, protocol analyzer and file reassembly software based on windows platform. Unlike most other sniffers...

Read More