Distributed Denial of Service (DDoS) amplification attacks are one of the most devastating methods attackers use to overwhelm networks and servers. By exploiting misconfigured services like open DNS resolvers, attackers can multiply their attack traffic, making it far more potent. Unfortunately, open DNS resolvers, particularly those on unsecured devices like Mikrotiks, contribute significantly to the problem. This article explores how DNS amplification attacks work, the role of unsecured resolvers, and how proper security measures like Source Address Verification can mitigate this threat.

What Is a DDoS Amplification Attack?

In a standard DDoS attack, attackers flood a target with traffic, exhausting its resources and rendering it unavailable. An amplification attack takes this to another level by exploiting vulnerable services that can multiply the size of an attack. Here’s how it works:

Reflection:
Attackers send requests to an intermediary server (e.g., a DNS resolver) using a spoofed source IP address that belongs to the target.
Amplification:
The server responds to the request, often with a response many times larger than the original query. Since the request is spoofed, the response is sent to the target instead of the attacker.
Overload:
The target is flooded with amplified traffic, quickly overwhelming its bandwidth and resources.

This type of attack is particularly effective because it allows attackers to leverage relatively small resources (e.g., a single botnet) to cause massive disruption.

DNS Amplification Attacks: Exploiting Open Resolvers

DNS resolvers, particularly open resolvers, are commonly abused for amplification attacks. Open resolvers are DNS servers configured to respond to queries from any source, not just authorised users.

How Open Resolvers Are Abused

The Request:
Attackers craft a small DNS query, often requesting large DNS records like those associated with ANY queries.
The Response:
The open resolver responds with a large DNS reply, sometimes up to 50 times larger than the original query.
Targeting:
The spoofed source IP ensures the response is sent to the target victim, amplifying the attack.

Mikrotik Routers and Open DNS Resolvers

Mikrotik routers, widely used in many networks, are often misconfigured, leaving their DNS resolvers accessible from the internet. This misconfiguration creates a significant pool of open resolvers. Many Mikrotiks:

Have outdated firmware with known vulnerabilities.
Are configured to accept DNS queries from any IP address.
Lack proper network segmentation to restrict DNS resolver access.

In South Africa, this issue is widespread, with numerous unsecured Mikrotiks contributing to DNS amplification attacks.

The Situation in South Africa

South Africa has experienced numerous DNS amplification attacks originating from poorly secured networks. Providers such as Vodacom, Herotel, Afrihost, Vox, and Cool Ideas have been observed as sources of these attacks. Many of these networks host open resolvers, which are exploited by attackers to amplify DDoS traffic.

The Role of Source Address Verification

A fundamental solution to preventing DNS amplification attacks lies in Source Address Verification (SAV).

What Is Source Address Verification?

SAV ensures that the source IP address of a packet matches the expected origin for that packet based on routing policies. When enabled:

Packets with spoofed source IPs are identified and discarded.
Traffic originating from an unauthorised or mismatched IP address is blocked.

Why ISPs Must Implement SAV

Despite its effectiveness, SAV is not universally implemented by ISPs. This negligence allows attackers to spoof source IPs, enabling DNS amplification attacks. If all ISPs enabled SAV:

Spoofed packets would be stopped at their origin.
Open resolvers would no longer be usable as tools for amplification.
The global threat landscape for DDoS attacks would shrink significantly.

ISPs like Vodacom, Herotel, and others need to prioritise SAV to mitigate the impact of DNS amplification attacks originating from their networks.

How to Secure DNS Resolvers

While SAV is essential, securing DNS resolvers themselves is another critical step. Here are some best practices:

Disable Open Resolver Functionality:
DNS servers should only respond to authorised queries from specific IP ranges.
Update Firmware:
Devices like Mikrotiks must run the latest firmware to patch known vulnerabilities.
Implement Rate Limiting:
Limit the number of queries a DNS resolver processes from a single source to reduce abuse potential.
Restrict Access:
Configure DNS resolvers to only accept queries from internal networks or authorised IPs.
Monitor Traffic:
Use tools to monitor DNS query patterns, identifying and blocking unusual activity indicative of abuse.

Wrap

DNS amplification attacks are a severe threat that continues to plague networks worldwide. In South Africa, the prevalence of unsecured open resolvers, particularly on Mikrotik devices, exacerbates the problem. By implementing Source Address Verification and securing DNS resolvers, ISPs and network administrators can significantly reduce the impact of these attacks.

The message is clear: securing DNS infrastructure is not optional. It’s a necessary step in safeguarding the internet against amplification attacks and ensuring a safer digital landscape for everyone.

🎙️Understanding DDoS Amplification Attacks | The DNS Amplification Threat🎧