Distributed Reflection DoS attack
Combines Reflection and Amplification
Uses third-party open resolvers in the Internet (unwitting accomplice)
Attacker sends spoofed queries to the open recursive servers
Queries specially crafted to result in a very large response
Impact:
- Causes DDoS on the victim’s server
Cache poisoning
Corruption of the DNS cache data
Attacker queries a recursive name server for IP address of a malicious site
The recursive server does not have the IP address and queries a malicious DNS resolver
The malicious resolver provides requested rogue IP address and also maps the rogue IP address to additional legitimate sites (e.g. www.mybank.com)
The recursive name server caches rogue IP address as the address for www.mybank.com
User queries the recursive server for IP address of www.mybank.com
The recursive server replies to user with cached rogue IP address
Client connects to site controlled by attacker, thinking it is www.mybank.com
Impact:
Logins, passwords, credit card numbers of the user can be captured
TCP SYN floods
Uses the 3-way handshake that begins a TCP connection
Attacker sends spoofed SYN packets with the source IP address of bogus destinations
The server sends SYN-ACKs to these bogus destinations
It never receives acknowledgement back from these destinations and the connections are never completed
These half-opened connections exhaust memory on the server
Impact
- Server stops responding to new connection requests coming from legitimate users
DNS tunneling
Uses DNS as a covert communication channel to bypass firewall
Attacker tunnels other protocols like SSH, TCP or Web within DNS
Enables attackers to easily pass stolen data or tunnel IP traffic without detection
A DNS tunnel can be used for as a full remote control channel for a compromised internal host.
Also used to bypass captive portals to avoid paying for Wi-Fi service
Impact:
- Data exfiltration can happen through the tunnel
DNS hijacking
Modifies DNS record settings (most often at the domain registrar) to point to a rogue DNS server or domain.
User tries to access a legitimate website www.mybank.com
User gets redirected to bogus site controlled by hackers that looks a lot like the real thing.
Impact
- Hackers acquire user names, passwords and credit card information
Basic NXDOMAIN attack
The attacker sends a flood of queries to a DNS server to resolve a non-existent domain/domain name.
The recursive server tries to locate this non-existing domain by carrying out multiple domain name queries but does not find it.
In the process, its cache is filled up with NXDOMAIN results.
Impact:
Slower DNS server response time for legitimate requests
DNS server also spends valuable resources as it keeps trying to repeat the recursive query to get a resolution result.
Phantom Domain attack
Phantom
domains are setup as part of attackDNS resolver tries to resolve multiple domains that are phantom domains
These phantom domains may not send responses or they will be slow
Impact
Server consumes resources while waiting for responses, eventually leading to degraded performance or failure
Too many outstanding queries
Random subdomain attack
Infected clients create queries by prepending randomly generated subdomain strings to the victim’s domain. E.g. xyz4433.yahoo.com
Each client may only send a small volume of these queries to the DNS recursive server
Harder to detect
Multiple of these infected clients send such requests
Impact
Responses may never come back from these non-existing subdomains
DNS recursive server waits for responses, outstanding query limit exhausted
Target domain’s auth server experiences DDoS
Domain lock-up attack
Resolvers and domains are setup by attackers to establish TCP-based connections with DNS resolvers
When DNS resolver requests a response, these domains send “junk” or random packets to keep them engaged
They also are deliberately slow to respond to requests keeping the resolvers engaged. This effectively locks up the DNS server resources.
Impact
- DNS resolver establishing these connections with the misbehaving domains exhausts its resources
Botnet-based attacks from CPE devices
Random Subdomain attacks that use botnets to target all traffic to one site or domain
Attack involves compromised devices like CPE switches, routers
Supplied by ISPs
Supplied by Customer
These malware infected CPE devices form botnet to send multiple DDoS traffic to say xyz123.yahoo.com
Impact
Victim domain experiences DDoS
DNS resolver resources exhausted
When CPE devices are compromised, it can lead to other adverse effects:
SSL proxy – login credentials theft etc.
Launch point for attacks against customer PCs and environments(expanding the compromise)