When it comes to DNS, Cricket Liu literally wrote the book. He has co-authored all five editions of O'Reilly's "DNS and BIND" book, which is generally regarded as the definitive guide on all things relating to the Domain Name System. Cricket is currently chief infrastructure officer at Infoblox.
DNS is clearly a critical component of computer networking, but there are times when these tools can be used for malfeasance. In this week's New Tech Forum, Cricket takes a look at the growing problem of DNS-based DDoS attacks and how to deal with them. -- Paul Venezia
DNS-based DDoS attacks: How they work and how to stop them
The DNS-based DDoS (distributed denial-of-service attack) has become one of the most common destructive attacks on the Internet. But how do they work? And what can we do to defend against them?
In this article, I'll describe how DDoS attacks both exploit and target DNS infrastructure. I'll also show you what you can do to protect yourself and others.
The big spoof
Generating a DDoS attack using DNS infrastructure is remarkably simple: The attackers send queries to name servers across the Internet, and those name servers return responses. Instead of sending the queries from their own IP addresses, though, the attackers spoof the address of their target -- which could be a Web server, a router, another name server, or just about any node on the Internet.
Spoofing DNS queries is particularly easy because they are usually carried over UDP (the connectionless User Datagram Protocol). Sending a DNS query from an arbitrary IP address is about as simple and has roughly the same effect as writing someone else's return address on a postcard.
Spoofing queries isn't enough to incapacitate a target, though. If the responses to those queries were no larger than the queries themselves, an attacker would do just as well to flood the target with spoofed queries. No, to maximize the damage to the target, each query should return a very large response. It turns out that's very easy to instigate.
Since the advent of EDNS0, a set of extensions to DNS introduced back in 1999, UDP-based DNS messages have been able to carry lots of data. A response can be as large as 4,096 bytes. Most queries, on the other hand, are fewer than 100 bytes in length.
Once upon a time, it was relatively difficult to find a response that large in the Internet's namespace. But now that organizations have begun deploying DNSSEC, the DNS Security Extensions, it's much easier. DNSSEC stores cryptographic keys and digital signatures in records in the namespace. These are positively enormous.