Was NATO Hit by a DNS Attack?

The latest developments in the Russia-Ukraine cyberwar battle have garnered huge media attention.  It was also recently revealed that the cyber attacks on the NATO websites and infrastructure have been linked to those same tensions.  The attacks, which targeted NATO and also Ukrainian media websites, were distributed denial-of-service attacks (DDoS) allegedly by the pro-Russia group Cyber Berkut (KiberBerkut). 

While there is not 100% certainty on the tools and attack vectors used, strong indicators suggest that the attackers used DNS Amplification and/or NTP Amplification for this attack. 

A Deeper Look into DNS Amplification Attacks

DNS Amplification attacks can have devastating impacts and Reflective DNS floods are a part of a wider set of these DNS-based attacks.  They are very dangerous and are also a favorite among attackers. Asymmetric in nature, a DNS flood generates a massive network flood using limited resources and IP spoofing.  This can make it very difficult to track.

What are the Mechanics of a Reflective DNS Attack?

Reflective Floods uses a two-step process to launch an attack:

1. First, a large number of requests are sent to one or more DNS servers. The requests use a spoofed source IP of the target victim.

2. Next, the DNS server receiving the requests replies to the spoofed IP, and unknowingly launches an attack on the target victim by responding to requests that the victim never sent. The target victim whose resources are exhausted, need not be a DNS server, but can be any server at all.

Another contributor to the destructiveness is message amplification.

Message amplification is when an attacker sends a small number of short requests that result in the replies sent by the DNS server to be greatly amplified, also exhausting the victim’s server resources.

This can be best illustrated by a simple equation:

Assume an attacker with a 5Mbps internet connection can send about 14k requests of the size 44 bytes per second. This small size of this request (14k RPS5Mbps) would not cause harm to any normal DNS server.

However, if the attacker has a crafted reply with the maximum size of 4096 bytes, the victim server will receive ~465 Mb of traffic beyond its normal traffic bandwidth.  

Only three such attackers are needed to reach a 1.4Gbps attack throughput. This will cause almost any service to immediately reach a denial of service state.

How Can You Protect Yourself from these Attacks?

The mechanics of Reflective DNS Attacks require that you defend yourself both from being an attack victim and an unknowingly assistant to attackers.

Here are some protection guidelines:

Awareness

Any organization with internet access can be a target for DDoS attacks.  The most fundamental element of a protection plan should be constant network monitoring.

Configure your DNS Server

To prevent a case of your DNS server being used for an attack, make sure you do not run an open DNS service.  Another precaution is to rate limit responses from any single authoritative name servers.  Determine the baseline of how many responses you usually get and set a limit that drops responses when the rate is above this baseline.

Protect your Pipeline

The above protection methods are all important, but they will not prevent the saturation of your network pipe in the case of a massive attack.  Make sure you have the option to divert traffic to an MSSP or another entity offering such services.  In the case of a pipe-saturation attack, your on-premises equipment will have no way of mitigating the attack by itself.

Source IP Validation

Finally, the real solution to IP spoofing is source IP validation.  Note:  This should be handled by backbone providers, rather than individual organizations.