Anatomy of a DNS DDoS Amplification Attack
Early in 2006, a series of Distributed Denial of Service (DDoS) attacks victimized DNS root and Top Level Domain (TLD) name server operators. These attacks merit careful analysis because they combine several attack tools and methods to increase their effectiveness. The attacks also call attention to an operational problem that was solved long ago, yet most IT administrators and service providers have not implemented the most effective and appropriate response.
In my article, Anatomy of a DNS DDoS Amplification Attack, I describe the tools attackers use in DNS DDoS amplification attacks, the attack itself, and countermeasures that are generally considered best practices.
Variants of the attack I describe here continue to harass enterprises and service providers. Shortly after my article was published by Watchguard Technologies, I received the following comment from a subscriber:
I was targeted by this particular attack, captured screen shots and the works, and my ISP was worthless in their response - because they didn't see an unusual amount of traffic on THEIR side, but I was completely shutdown at my firewall. Thanks for confirming my assumptions about the attack - very validating!
While it's nice to help folks validate assumptions about attacks, it would be so much more rewarding if service providers would voluntarily adopt countermeasures such as source IP address validation so we can reduce the frequency and amplitude of not only DNS but many forms of DDoS attacks.
Archived at http://www.securityskeptic.com/arc20061101.htm#BlogID571
by Dave Piscitello