A new form of Domain Name Service-based distributed denial of service (DDoS) attacks that emerged in October, attacks that can significantly boost the volume of data flung at a targeted server. The method builds upon the well-worn DNS reflection attack method used frequently in past DDoS attacks, exploiting part of the DNS record returned by domain queries to increase the amount of data sent to the target—by stuffing it full of information from President Barack Obama’s press office.
DNS reflection attacks (also known as DNS amplification attacks) use forged requests to a DNS server for the Internet Protocol address and other information about a specific host and domain name. For example, a response from Google’s DNS server typically returns something like this—a simple response with the canonical name (CNAME) of the DNS address sent in the request and an IPv4 or IPv6 address for that name:
DNS requests are usually sent using the User Datagram Protocol (UDP), which is “connectionless.” It doesn’t require that a connection be negotiated between the requester and the server before data is sent to make sure it’s going to the right place. By forging the return address on the DNS request sent to make it look like it came from the target, an attacker can get a significant boost in the size of a DDoS attack because the amount of data sent in response to the DNS request is significantly larger.
But this new attack pumps up the size of the attack further by exploiting the TXT record for a domain—a free-form text entry for a domain name. TXT records are used to provide “time to live” (TTL) information for caching of webpages, configuring anti-spam policies for e-mail service, and verifying ownership of domains being configured for Google Apps and other enterprise services. It can also be used to provide information about other services associated with a domain name.
A TXT record for a domain can be up to 255 characters—a significant boost over the relatively small size of the request sent for it. In October, Akamai’s security team noticed a trend in DNS reflection attacks using TXT record requests to the domain “guessinfosys.com” and other malicious domains. The contents for those were not exactly what you’d expect in such a record—they contained text pulled from news releases on WhiteHouse.gov:
These attacks lasted for over five hours during each episode, resulting in malicious traffic of up to four gigabits per second hitting their targets. The contents of the TXT records were apparently being updated automatically, possibly scraping data from the WhiteHouse.gov site.
DDoS attacks, like many “reflection” attacks, are preventable by DNS server operators by blocking external DNS requests. The attacks can sometimes be stopped at the edge of the network, but that usually requires having more bandwidth available than the size of the attack—something smaller sites without DDoS protection from a content delivery network such as Akamai or CloudFlare may have some difficulty doing.