Advanced Persistent Surveillance: DNS Amplification Detection

I was doing some research today on DNS Amplification and how it can now be used as a weapon for DDOS. Within a few minutes I was actually able to simulate (on a very small scale) and demonstrate how you can track DNS Amplification attempts.

What I did:
I ran the following command against my local DNS Server to create a 500 byte size response. “dig @192.168.1.32 prague.studlab.os3.nl rrsig | grep -i ” size ” ”

 

This produced the following: (Notice the spike at 11:57 – 11:59) If you’re middle aged and blind like me…click the image :)

After drilling into the two minute spike by clicking on the chart I noted the following:
First I noted that we received 100 DNS requests within a one minute period from the host 192.168.1.97

I noted that the record type was all “Other”. This was certainly different than normal traffic I had seen over the previous two hours.

I also noted that the response size was considerably larger and exclusive to one client within the two minute period than over the previous two hours. (average was less than 100 previously)

 

Conclusion:
DNS amplification is becoming a new tool for bad actors to use to try and DDOS your services. Beyond the INFOSEC play, DNS is an important of today’s tiered applications and you should know how every DNS server in your network is performing. Wire data analytics positions you to be able to see the DNS performance of your A/D controllers for the purposes of regular communications as well as provides visibility into one of those UDP blind spots showing you who is attempting to DDOS you using DNS Amplification.

Thanks for reading

John

Leave a Reply