Was NATO Hit by a DNS Attack?

5
727

The latest developments in the Russia-Ukraine cyberwar battle have garnered huge media attention.  It was also recently revealed that the cyber attacks on the NATO websites and infrastructure have been linked to those same tensions.  The attacks, which targeted NATO and also Ukrainian media websites, were distributed denial-of-service attacks (DDoS) allegedly by the pro-Russia group Cyber Berkut (KiberBerkut). 

While there is not 100% certainty on the tools and attack vectors used, strong indicators suggest that the attackers used DNS Amplification and/or NTP Amplification for this attack. 

A Deeper Look into DNS Amplification Attacks

DNS Amplification attacks can have devastating impacts and Reflective DNS floods are a part of a wider set of these DNS-based attacks.  They are very dangerous and are also a favorite among attackers. Asymmetric in nature, a DNS flood generates a massive network flood using limited resources and IP spoofing.  This can make it very difficult to track.

What are the Mechanics of a Reflective DNS Attack?

The attacker sends DNS requests to 3rd party servers, using a spoofed source IP of the target victim server. The replies sent by 3rd party servers generate an attack on the victim with responses that are x3-100 times amplified compared to the request.
The attacker sends DNS requests to 3rd party servers, using a spoofed source IP of the target victim server. The replies sent by 3rd party servers generate an attack on the victim with responses that are x3-100 times amplified compared to the request.

Reflective Floods uses a two-step process to launch an attack:

  1. First, a large number of requests are sent to one or more DNS servers. The requests use a spoofed source IP of the target victim.

  2. Next, the DNS server receiving the requests replies to the spoofed IP, and unknowingly launches an attack on the target victim by responding to requests that the victim never sent. The target victim whose resources are exhausted, need not be a DNS server, but can be any server at all.

Another contributor to the destructiveness is message amplification.

Message amplification is when an attacker sends a small number of short requests that result in the replies sent by the DNS server to be greatly amplified, also exhausting the victim’s server resources.

This can be best illustrated by a simple equation:

Assume an attacker with a 5Mbps internet connection can send about 14k requests of the size 44 bytes per second. This small size of this request (14k RPS5Mbps) would not cause harm to any normal DNS server.

However, if the attacker has a crafted reply with the maximum size of 4096 bytes, the victim server will receive ~465 Mb of traffic beyond its normal traffic bandwidth.  

Only three such attackers are needed to reach a 1.4Gbps attack throughput. This will cause almost any service to immediately reach a denial of service state.

How Can You Protect Yourself from these Attacks?

The mechanics of Reflective DNS Attacks require that you defend yourself both from being an attack victim and an unknowingly assistant to attackers.

Here are some protection guidelines:

Awareness

Any organization with internet access can be a target for DDoS attacks.  The most fundamental element of a protection plan should be constant network monitoring.

Configure your DNS Server

To prevent a case of your DNS server being used for an attack, make sure you do not run an open DNS service.  Another precaution is to rate limit responses from any single authoritative name servers.  Determine the baseline of how many responses you usually get and set a limit that drops responses when the rate is above this baseline.

Protect your Pipeline

The above protection methods are all important, but they will not prevent the saturation of your network pipe in the case of a massive attack.  Make sure you have the option to divert traffic to an MSSP or another entity offering such services.  In the case of a pipe-saturation attack, your on-premises equipment will have no way of mitigating the attack by itself.

Source IP Validation

Finally, the real solution to IP spoofing is source IP validation.  Note:  This should be handled by backbone providers, rather than individual organizations.

Like this article? Receive similar articles by subscribing to our blog today!

5 COMMENTS

    • Thanks for your comment. Even if the latest BIND version will support rate limiting, by the nature of the operation from such services we should never assume that systems will run the latest release of a software right away. In many cases it will take months or longer to update software in the production environment and this is in fact one of the main security risks. As part of the attack preparation, attackers do run pre-scans to find out what is the software release used for the specific service and will use a tailor made set of attack tools to succeed.

  1. It’s a shame you don’t have a donate button! I’d most certainly donate to
    this outstanding blog! I guess for now i’ll settle for bookmarking and adding your RSS feed to my Google
    account. I look forward to fresh updates and will share this site with my Facebook group.
    Talk soon!

LEAVE A REPLY

Please enter your comment!
Please enter your name here