The idea of writing this article arose from a previous article on LI “Jak “przeskanowałem” Polskę” (“How I scanned Poland”). And to be more precise from questions that appeared in my private inbox on LinkedIn.

People were interested on how to secure their servers and asked to check if their servers are safe. You can find this article under the link http://bit.ly/2lYJmWa.

I also was wondering how dangerous is (for myself and others) to keep an open recursive DNS server, so I decided to conduct a little research, which results I’m going to show you.

It goes without a doubt, that if you put your server on the Internet, you need to take care of its security and limit access to it as much as possible.

The DNS protocol can be used both for attacks on the victim’s infrastructure (DNS server, channel) and for attacks on other companies. In the previous year, the number of such attacks has increased at least 4 times.

At digitalattackmap.com, the website which visualizes DDoS attacks we can see that DNS is highlighted from the list along with attacks on the Web (80/443 ports).

Brak alternatywnego tekstu dla tego zdjęcia

As you probably know, the DNS service works over the UDP protocol (mainly), which does not imply a preliminary connection, so it can be used without problems for attacks on other servers (spoofing) without any special preparation.

I’ve conducted a small test over the world and got some statistics:

Brak alternatywnego tekstu dla tego zdjęcia

These hosts properly returned “famoc.com.” (company, where I work) while acknowledging requests for recursion and did not give any error codes in the DNS response (Response Code was NOERR).

This scan only reported DNS servers that responded on port 53/udp. DNS servers that responded on ports other than 53 are not included.

These servers can be either incorrectly configured authoritative and caching DNS servers or simple CPEs.

My quick test is confirmed by https://dnsscan.shadowserver.org/. The name of this site tells for itself: “Open Resolver Scanning Project”.

Brak alternatywnego tekstu dla tego zdjęcia

Formulation of the problem

     The following questions were formulated, to which I would like to receive answers:

  1. How quickly a DNS server will be detected?
  2. When it will be used for illegal purposes?
  3. How to determine the load on the server (the number of requests per second)?
  4. How to determine which organisations are targeted?
  5. Whether compromised (blacklisted) domains and / or IP addresses will be requested?

For testing, I’ve been using a server installed in European Datacenter of one of the cloud providers. To check the domains, I was using the RPZ (response policy zone) mechanism and the black list from https://dnschecker.org.

I am not going to overwhelm readers with multiple concepts about DNS attacks, but let me remind you of some basic principles.

The following principles are used to carry out attacks through the DNS server:

  1. DNS works over UDP, so an attacker can change his IP address to the victim’s address;
  2. DNS queries are asymmetric, response traffic can exceed incoming several times.

Based on these principles, we can distinguish the following types of attacks using DNS:

  1. Amplification attack. This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open DNS resolvers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible. Amplification factor can reach 70x
  2. Reflection attack. Third-party DNS servers (such as mine) are used to spread attack by sending a large number of requests. In such type of attack, the address from which DNS queries are sent is replaced by the IP address of the victim, and the request will have the data of the victim’s server, not the attacker. As a result, when the nameserver receives requests, it will send all responses to the victim’s IP address. A large amount of such “reflected” traffic can disable the victim’s server / network;
  3. Distributed reflection DoS (DrDoS) – combines reflection and amplification attacks, which significantly increases the possibility of disruption to the victim’s server.

The list of possible attacks is not complete, but it is sufficient for this study.

Let’s move from resolutions to results:

During the week, a total of 589 thousand requests were received for 84 domains from 2567 clients, which indicates the success of the study and the importance of this topic.

Here you can see a graph with the number of queries to the DNS server per second.

Brak alternatywnego tekstu dla tego zdjęcia

Conclusions

So, here are the answers to our questions:

How quickly a DNS server will be detected?

The first request came from China (of course) after 1 hour 11 minutes to the domain www.google.it

When it will be used for illegal purposes?

After 1 day, the server began to be used periodically for attacks. In 30 minutes, 300 requests to the idf.il (Israel Military Forces) domain were received. Gradually, the number of requests and the duration of attacks increased.

How to determine the load on the server (the number of requests per second)?

At the time of the attack, the server experienced a maximum load of 2-4 requests per second. On the last day of testing, the number of requests increased sharply to 20 requests per second. The DNS Amplification attack was used. It is difficult to determine whether it was combined with DNS Reflection.

How to determine which organisations are targeted?

Brak alternatywnego tekstu dla tego zdjęcia

The number of domains requested was not large, so identifying potential victims and domains used exclusively for attacks was easy.

Additionally, in top 10 we can find some akamai servers, one german web-hosting (which provides DDoS protection :)) and russian game hosting. I suppose that these servers were hacked and used with some botnet.

Whether compromised (blacklisted) domains and / or IP addresses will be requested?

No. This is logical, since botnet/malware attacks via DNS server, but  connects and receives commands from the control center during using the provider’s DNS servers.

I find this graphical representation of the distribution of DNS servers by country, both open recursive and authoritative very interesting.

Brak alternatywnego tekstu dla tego zdjęcia

Conclusions:

Based on the results obtained, the following obvious conclusions can be drawn:

  1. It is necessary to restrict access to all server resources, and in particular to a recursive DNS server.
  2. You must constantly monitor the load of the DNS server and data channel. A sharp increase in load can indicate both a DDoS attack and a server hack.
  3. When using DNSSEC, it is necessary to reasonably limit the number of incoming requests (rate limit).
  4. Check your CPE for access to DNS through the WAN interface.
  5. It makes sense for providers to restrict access from the Internet to recursive DNS server clients.

I planned to finish my test in a week, but because of the significant increase in load (from 2 to 20 QPS) on the last day of testing, I decided to extend the study for another week…

…Now the median of QPS is pursuing vertical.