DNS Amplification Attack

Introduction 

A few years ago, perhaps 2012 or 2013, my normally OK internet began to slow down.  Pretty soon, everything was skipping, downloads took forever.  Watching YouTube was painful (and not because of the ads this time).  There's always a bit of variation, and this is home-internet, so it was a few days till I investigated.   

The source of the problems was quite a surprise to me, I was the unwitting co-conspirator, and co-victim, in a 65GB DDoS attack!

How did this work? Was I infected by some malware and now part of a bot net that some evil attacker was using?  No, but there was a botnet, and it was using me - without even buying me dinner first!

The attack was using a method called "DNS Amplification Attack,", making use of my open DNS server.  I host my own domain, so I ran a DNS server that was open so that any system on the internet to look up the IP addresses for my websites and other services.  

We- collectively the whole internet- have long since learned the dangers of an open SMTP email relay.  This is when I learned the dangers of an open recursive DNS server. 


Yesterday, looking at the logs, I see an attempt at the same type of attack, so I thought I could use this as an excuse to blog about the event. 



Suricata IDS Logs

Setting up IDS, we noticed a warning about active ongoing attacks.  

What is an IDS?  IDS means "Intrusion Detection System."   It's a network device, kinda like a firewall, which watches the network, looks for suspicious network traffic, and generates alerts.   IPS is the bigger version, which does the same thing but also acts as a dynamic firewall to automatically block traffic that's too obviously hostile. 


So, the DNS amplification attack attempt generated an alert in the IDS logs and those logs look something like this:

10/20/2021-17:41:20.167353  [**] [1:2016016:8] ET DOS DNS Amplification Attack Inbound [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 79.68.16.245:80 -> 10.1.2.13:53

10/20/2021-17:42:23.746478  [**] [1:2016016:8] ET DOS DNS Amplification Attack Inbound [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 79.68.16.245:80 -> 10.1.2.13:53


This is all on the inside of my edge-router, so NAT has already been performed rewriting the DNS server IP to 10.1.2.13.    You can see the victim in this, too, at 79.68.16.245.


The true source of this isn't identified, nor identifiable.  The source has been spoofed so that the request appears to come from the victim.  That's a requirement for this type of attack.


A Packet Capture

Of course, with this alert, one simply must do manual validation.  The IDS gives me a high likelihood of an attack in progress, but it doesn't tell me the true impact.    


The first thing I did was look at the packet capture, so let's look at that sample packet dump:

17:47:42.363486   P 00:1a:4a:16:01:63 ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 237, id 35111, offset 0, flags [none], proto UDP (17), length 59)

    79.68.16.245.80 > 10.1.2.13.53: 17767+ [1au] ANY? sl. (31)

17:47:42.363499 Out 00:1a:4a:16:01:63 ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 237, id 35111, offset 0, flags [none], proto UDP (17), length 59)

    79.68.16.245.80 > 10.1.2.13.53: 17767+ [1au] ANY? sl. (31)

17:47:42.363486   P 00:1a:4a:16:01:63 ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 237, id 35111, offset 0, flags [none], proto UDP (17), length 59)

    79.68.16.245.80 > 10.1.2.13.53: 17767+ [1au] ANY? sl. (31)

17:47:42.364838   P 56:6f:7f:21:00:15 ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 63, id 33663, offset 0, flags [none], proto UDP (17), length 59)

    10.1.2.13.53 > 79.68.16.245.80: 17767 Refused- 0/0/1 (31)

17:47:42.364853 Out 56:6f:7f:21:00:15 ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 63, id 33663, offset 0, flags [none], proto UDP (17), length 59)

    10.1.2.13.53 > 79.68.16.245.80: 17767 Refused- 0/0/1 (31)

17:47:42.364838   P 56:6f:7f:21:00:15 ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 63, id 33663, offset 0, flags [none], proto UDP (17), length 59)

    10.1.2.13.53 > 79.68.16.245.80: 17767 Refused- 0/0/1 (31)

What we see here does look suspicious to my eye, too. 

The query is simple: ANY sl.

It's asking me for a DNS zone that I don't manage- why would it decide I was a good place to ask?  The root DNS servers would answer that, not me, so that's one strike against it.  But MAYBE someone just has their DNS server set to me?

Second, it's asking for ANY, literally asking for every record that the sl. TLD has (not subdomains, but about the sl domain itself).  That it is asking for the most data it could ask for is suspicious. That's strike two.  But sometimes you do search for extra information, like if you were debugging it. 

Finally, strike three is that there are multiple requests.  You can see 3 at that moment, but they were repeated more than every second.   Even if this wasn't part of an amplification attack, I would consider anyone spamming my server malicious. 


The three answers sections in this capture show that my DNS server was doing the right thing and refusing the transaction. My servers now have recursion turned off, so they will only answer questions about my domain. 


But What Would Have Happened?


Let's look at this query, but instead, let's ask Google's famous nameservers the question to see what the answer would look like.  


Here's the query:

15:11:46.012847 56:6f:7f:21:00:15 > 00:1a:4a:16:01:63, ethertype IPv4 (0x0800), length 111: (tos 0x0, ttl 63, id 57487, offset 0, flags [DF], proto TCP (6), length 97)

    10.1.2.13.42813 > 8.8.4.4.53: Flags [P.], cksum 0xede6 (correct), seq 1:46, ack 1, win 210, options [nop,nop,TS val 1136475495 ecr 1403670115], length 45 19107+ [1au] ANY? sl. (43)


You can see that it's the same ANY and sl. as the original attack, and see the length of the request.  There are various lengths here:  On the ethernet wire, it's 97 bytes with 43 bytes (the (43) at the end) for the DNS part of the query.  The difference is TCP/IP information.   This is a little longer than the actual capture above, probably because they shaved off the UDPsize argument.  


I'm going to show you the response, not even a packet capture: 

;; ANSWER SECTION:

sl.                     20553   IN      SOA     ns1.neoip.com.sl. adam.neoip.com. 2914953687 600 900 7200 3600

sl.                     753     IN      TXT     "Generation Time: 1634833813"

sl.                     753     IN      NS      ns1.neoip.com.

sl.                     753     IN      NS      ns2.neoip.com.

sl.                     20553   IN      DNSKEY  256 3 7 AwEAAcs80gvIGeM7TDoBt0gfjFsmJ+6UOdllB39s2RuwjQxHuOhnzWTW uuR3R28fuYVkfQs67OweuAcg2QilShXyrrnpaFTkuoOqN5ZGvBuIOQVA fxUHXuDmPg8luuNyIOwrV0WR4Z8BnhAAuaZOAWpvpa5QsP4Zv4wEopjZ iwvbZNYeuTZu/Lrh8kLx2BjRNKE3vX901UC9jo/aueInhnLtAm7iPkqD icOvMiLeEgCCGf76gFf3EjNKtO78T/LF0ySL8saQGTb/shrfeCp6DKzf pk9PTrM0yjckMM2IgpmwVCJFVoBGlt0MZeunuengAbB1WwaDwRrVro3O 4XcqohmRp0c=

sl.                     20553   IN      DNSKEY  257 3 7 AwEAAfHhW4FXfxF41FuOfzmFu+lphl7YE4Q9nS+vcfuSYXsDdp1sHSOb pJ5TmIH9Kde1QncZJiohXKadkeBAPVa6d2H1ol5uPXq2ZF7riT4cvNZD HcO0BFHGVqsmb+ut+J4P1rfhoCDgWyUhwHJKQj4hfYgdHMFDH5EpCVoN I1PzwXM1J2GSIah2OFRTehvVglduiZES2fQuEMToaranjtSMZ2qIHr+6 wBD461y3VxhPJS0EYi9GV+SRHWvgu6YcTbpH91atZFG74/117DHOGdZt HHIYru/imz5qEstlz1tfekBb44v6RIZewp1Zp1Z13nLUSze1nBFTfdyc XFWfD3eaZuY7vgTURMsE803NJKCYaP/HeV92VTfnDVarreRUSBD2uN5G z8HCr8VPtbj+zSHCReqalXvTgTqMXRKEqufGvH7q3pypYOlz1Uh2HgWM 4B/yoxGxCnwH4r+Y6fV9gHE2qq6xt2uG81YzskwehWfvDlWerWq6xK/z YJ1tyUUvI9BU2GCCg7MqbY6VrHYlH75i/O9BCC21PwToKNhT4Mx+L/lp 5mE91Af74SH+5LEFY+N8JAjOh26c3yipAjlqMSWLtAfaTZzSwlZ60hWI dDvKBl4UUlxPQznFNFlSCpJ2C5H9+iNtWanPsR/9TAsdYa25fhLPWQRd OGFecVwP5/1hDL2/

sl.                     20553   IN      DNSKEY  256 3 7 AwEAAb4qjYqBg4yE5D+OKMKCt8pOMfhl69duSzOnVq/GD/xlVUMmvueh EkD2q048nkEqAHEiL+r8ggxV+t+SIyTwWKU3OkkQdHzCUpEEK5nVE2CI yjidqMxC99aAA5fSJH+oQexm6/gh9gSvd6Xmudu2mNbHH72Gvg6iJ88O Drlu184vYzg95xtNN7Mw1Vljq/1voHFzdy0SrB6HP7H+PrnO773Lc8u7 bt/FgWd0h4/BWxdoK2iyeG2sqO6CoLmAikSBrXeCN59PixOsJgLo9Wyp 8UC6LXIS8veSZ6/AgtyR9F+r3I5VexjQzdjr8DcyOpym/cfSq0Uudako LIsrAy9Ji1M=

sl.                     20553   IN      DNSKEY  257 3 7 AwEAAdxd7o/dx+wvfkCapfZkKFGjalYjk35IDQ7ZrlvtvYXf9a/MBxAB VbuY2ipb/At7Cn2MREtVfdT/+TWEzqeybYXZSBwYtkfGxdHvmppddHQj /aFZ6OpQ22W4XnLDv3SGayueUAZ693tJNy8DFJlyuiT1n0oFn66r2swd kTbhAwesTN40f/Kgz/m02FqcnyEce0aB+ffR4qxbRaBQKNfzoE/on6kL ODDgI6g5W1qa11hcrH1CmKy/j2LzVbm90DsFOhUdfZOIFR9Pq21lysTI O8alMiQO4BhiaOyXqItA6ptGQbGORRNH1Qn++8CNi/vUr852W459VFrm 0MIgqoUyUtPafjiPdyb7GcQiA8s4+Sf0niQFxpbdINDk5B1VjyTgZI95 /N21vUdHWD1Cp4eK/CRvNMcLp0ZqDiOBZG5LEk/7d2Cpc9xImgMfdp1v DTMo+xEw4MVf2JlzMZJZr5cWKc/dpQb4/Kh6JnwQFSR4Chd+hVu9AHRz ojro7qDUoTVNOdrrzVsk/10NIGDg0LaPbAQI6JtU5DQCRPVcjoOGeCI1 E2bWKMLwl4qYnJn9KMDo3/5fxU14+YHZ44C1rAn7AXhZX3me3a5phTBR QtSkudiSxf1Bf52yguXFyEIUPbdPSBSIKL5tflsfZ8JCRt8dfDYh8aGM Gev7U7HsiMKuxxqT

sl.                     20553   IN      RRSIG   DNSKEY 7 1 21600 20211112081030 20211013072131 14507 sl. MbvFG8v/DuDYjiyqrhDvn7uyw9T18RMpQZkcHj/AqA6cvoIxQMr/k/E9 ojhhnR7zkmPRpaCWjwPIB1wihgRWvsVnCanAPwfJqjgQmY6/9NKdLiZn E/Brmy5qSuleKh7uZN48Bz0If93DDfaB/idP/d8vFxtjkUmxXewoHvxS azzguoAwpHcQmQY7MH1MFjniFwJK/e4iRKVfKMoDgAqGs0wOx1gUDqWm ksJZQaqxCHr8eEAvOuwjwcRwOLSCzY8icu0ygwki3hXL5OuqYB+tcNZG 4MGoo5oi2hIKlCqq17NMJsm9tkSPmqA4/iCsCGnTEpNx1iwVNx/6VhB3 td/Sdg==

sl.                     20553   IN      RRSIG   DNSKEY 7 1 21600 20211112081030 20211013072131 55940 sl. tzYI1EBidz+ImfR5hWIiXMY5CuW2eRGzgmGBr59BHq7ja00UxT7+pZnJ HL+RSkjAjiuDqmgJQj9dMfqOd8sCJ0fCS9KMWMALecTAiRuNpyOw27a8 t/LbH8FnNsQlLnL0wF53XG8j9f7Ts2SUKuwQHnUIdaxU7dk+YDjEkepy K83Q1kic9bHrlMjBltC1RbPt//fWCugikmNw8FingxDpkJvpaBRCmt5n ASvurxnFedf2pWvZeLr/535JrJl+kfNwTSjl/gB6W41aG023/W67SLxh 0NnJauCo0doRHOu/lsvtwSAZKqbH3Q0bMXBGELS5t4iW9prjJF+Efy+o 4tYjLg==

sl.                     20553   IN      RRSIG   DNSKEY 7 1 21600 20211112081030 20211013072131 40824 sl. sg9He35+UFZbSluejbna6JcA2Qrur2krqXvbjRmgc3wz6GqDJmcAH2Cx BXkJ0KJxXGHL6GdNXPX12zkmVuyaAxK8SOLgdjlqt3mxM/8bVtFD+yYB lecuUPdxWHxI6ir3kpk01NB5LHURNZocQ65S/Tc9n3tZBYJrt+kpzrQ6 k1dAQUCOl8K+KtEIHQ/3hMzRPFR1ivmKqnmtqWe5EI09eLsTCbFyG/x6 jrTQzJAui389L1dZi8nKHyJbn2gFORmpfQ0HPKwTnGjDLulbF21+enP3 PTHRrIgIL90LBlfAxMsjwsGTJKhBESEhsnR9piGyc60txwIjDkUt71Cj 2mN6LLa+XtjbGEr8BVH9pzG24Vo50huXk/bkc4ZYzMZLFo8TsJpkos+M uNgf7+Y5TDBBZtlOKhUAt1icDXNim9j+jRuUOw8SfEoKVrscdYtqf5hv R9c7ZnpBgpJh8zdJ5fEHSWDHkC0sJzx/XKAXNzSJApQrLz3p16HMlEi9 TGPc+ZTMRobJ83igo0GxZa/qfk1Bsek2yWBU1sXRLNkL6tZOEaedI8rP RegKSWIrBHCVM+RbyL254feEsbFPOkYuHigql0sUvsHw+lfE9Iu5e2ZV j9p1XXh+WDgRNjRkRP9fT2drVwyZDKDVGjhaaT5D3AwoZWFHOBXwjesG dEya/8B/nuw=

sl.                     20553   IN      RRSIG   DNSKEY 7 1 21600 20211112081030 20211013072131 1179 sl. GSqDjmR/ZyL/Ch3xphZ6x3A5txLlJISEvZyILOhJP6UE+e1oFDebyzEs VB6syMq3aRR58XVWePDEqH8DfNMXQa2CQcWCIvVGKZvdwE5GG09LZ3qh 0mFBI4/ubUQX9COgeBtXiBVokzCK467S60v0uOe9Pl/X3+X70revbsGc rga73016KGULZ0y2jw2iiNGsuj8VrkOzdLyWqJo/9s14rOL1Wx1ZzB3c 9vriUyIZgAdG9tSDoiMgmpz89HMZTocFkTp9yCiIeVvHZsziL8wWz2ej Znqn0gutyNQIVH5NGCA3PgnCStJZa+WXh2Ia0iqlfJPIcQ4wkPPBPCUj MKTxijk1F3Hx6gHvjFZYWtmiaXsup0rFFkiyWz/SkYSbd6yAqPullpNn Vhq84oCLlCOb7H2zh9hui1DjypWnF/W9qRCStYTChLhxG8aOGiZXl2Ao MuFteB+jChAYjUN6EnsAInVNhgqpYbpCPZ8GyjMatuyes6+6HfGGLvd4 ZqunI4Tr3JGl4adGCbaT1q5MBNb5MUk0nnLnGquyeqoQ/t9VUL87sX0e bK2WH5ojRn49EiY82xD/zhl+JCMvf4ZrPQecmCDH+ziIvqnPTS6Jcd1d dF6Kw0671WyKrxT80d2ajILIDxJeUyGnYa7hBrDjfaLgzQOSHnQx38Yc 4CqWxEG4U0I=

sl.                     20553   IN      RRSIG   SOA 7 1 21600 20211120163014 20211021153014 14507 sl. ibpCNEVaR4ByBrVOvfrwig7CDQRMvbVVFTftDapR4G6hAFcPKDKYdOni V6r8oo6dsTW5r0+zrl9GuWdms5LckBaU/ha1jxB1QAxVb871Mcj7z/eG fJlip/fkxecPtmeO5LxCGH1/chuLUh1b/5niU6RvkbYFWadd0871maF4 n47peFYzS/VkkntZ7gEEV6oclWxQ4hU5nZAPKFmY5t/9u5sJ7r97001T 2meTqTN2H0rN907rndVCfqUPdYM5xtvwrJLYhfL7B0923p+KBcJWLj9y SU+ZaBqjKQllbOA0y2m4K4QOYr0+cmCgyow1CWspUiRx9ZSP6G9VBoQ8 CiN+5Q==

sl.                     20553   IN      RRSIG   SOA 7 1 21600 20211120163014 20211021153014 55940 sl. bAkbsTs1Qmr0xEnxNq7lTUyY0GYiAGaMeEgb5hKZUtbJQU6QotEW/IG3 FpzEEYe7OE+hLLQ7qhn6ZUfxBbuQ/sn29iJVoJasXW5ADI6cXipu5QX3 QaPB7FFqio/SH+9kpK9JcRauiWmp/o2ZpeDu73sFRd6owuvXJnR+9jMI 8Rixg16yB+cp8KPqmT010JgOT0O1RdrrrdG+1uZy100AsgMlvHKCZNmE P4zBWiSdguskRIYmKTenM5I3CIhRH4aRVBh4JNKvBKx1gGKv6DxrJ0yc 1n4grL+J7yRGkM0YZpOeYApCn9ej7exjR4RZ2wJ9ydw5GTTD7XBfF8Ez DOm+Cg==

sl.                     753     IN      RRSIG   NS 7 1 1800 20211106114502 20211007104502 14507 sl. PHN2HoPzLzpvc28YQeisJN3uxWfX/FjAu4B+ofWtqW0ZlcZ7gMWCjm+8 19ED+kN1AyAwXTRL7Bs/5t4/GZGmP4EcOycJ3efdqqPxLATFPu3h63OI XJRUws6kIe7VJ9Yx/as+uMMc8/hCHbCjmhNOAKX984HvUF43zdgu28bx I2stsSv7d+GADc4tp/oIMD/SVaGjoMrsOh9jeQ73bcJGxLu8DimQrn9t h5dKHr+ZGSZHWiGaT0h1pU4A8rFtDQDoDiempRAl51NCiGFUNze1xhWe 7YYtR871OCRskNeetpDce7nJ89NwoqtnJWAdxBR+5flQHgtk3+RPvNF4 edQ3jA==

sl.                     753     IN      RRSIG   NS 7 1 1800 20211106114502 20211007104502 55940 sl. O82Uz5GLO8L+dV2NDGd2caQToDT+7iBw2q28DbgWVNPdeW4GCwUWo4BQ x6BeYI3CcPfekkC2W2S1taqyvHaOI1refAVIVEnQ1FafUg/2gt6vgKmK 55zjvwn0OMhh/7KH5d8csxWXxKvtNn+GMESgD1aS4zIQZ7P9N0T4gesD 7n3caNJTPg0Ca414rSoiTzoxv0BlzHIfyHe4nbB49R76bcCRt9yC0e/4 2qJpcbvzAQmNpkNHHDZm37TYKzpj0hGHeFLxB9DiO11DaiL1QDzi6sJP 19exjW31kZCda/X9djzNRstbFHL7M6YjrnmyfvYmi1Z647GD3WQgrg1A 5wbgDA==

sl.                     753     IN      RRSIG   TXT 7 1 1800 20211120163014 20211021153014 14507 sl. gh/S5Ib/KmtCYsn0PAfaN1Grzsd/TOeo65TH0BoTfLiEINyWF7B5be9G QHM5FvvPZV/pKvcmJ7BskF9DcuYdplOm774oVNiWLRkkHC9hzDT1WYkb YaZwYVkJRpL75suSB+fvLgMvbWSQsP+u0ALtVHxvlWSRcXlx2laJphUI vVu/PBEa6OXy3ocFpr6zv1j5H8o+e+eowvKr6AfUdY9uj2EVPk/1aH43 Fjf/L6Bzhg32QiQ2fmiVRcHufN33vIaYT9+yuUV0cCQz9FxJAhgmEVDE AtQVY6dzfGSUFxAJLTJRC4spYPgwKG3JyLEKObO/bKR1e9e1eJcVBGfU DjSGEw==

sl.                     753     IN      RRSIG   TXT 7 1 1800 20211120163014 20211021153014 55940 sl. nI4qXypphpgD0BE33zqnd/XaApt3bsXa7d3jqOuMJqCoz9SEmr6EXEez PGlvrJUtWA7HaH9FULyGfLCwi0q5AiW6qSwhITEKxbzqauht9cnr8TSD ZvIjpiA6ngTpxs83Cd31APcZX12f49SlDN1fZLadZICw8VBMnqqWVkHI tXv6n7rmuQAyrlxo0n0zKNxHtNyWt04wCKp8wjHPWmX1GUMHdXH863sX ZwhjpmYB5Spz1tdtdCO7s1i9U7MQyOCEk2g2EX8K+o8nLFQCZzLDGiCy Ux3uro3E+cGxYJgvDTMeFKOzvDJZs/9fIcjWCE5kiyN8nPH7UFhYSgg+ LTHIzw==

sl.                     2553    IN      NSEC    1.SL. NS SOA TXT RRSIG NSEC DNSKEY

sl.                     2553    IN      RRSIG   NSEC 7 1 3600 20211107073005 20211008063005 14507 sl. eml4PepLRRR54u+NwZYXZK0HLK8+Agq/pykB4tnmPhkYCV0QHc5E6T7G vJ7vt+YP36sA1NTdO3Ka0AvaB8vaQOuSJh1CThf2nz8PY2vVLI5dqhie jW6jz4qx056FJqHFGsAWjPrQYAJs1I/W84WUYhK34Hc3HrJ1lIXPARop i7RkmmcuhnF/WGD3+DAXPcqQfHiPaizBuk4QgR36HhJiez32PZ4+0Cob ppNuzCCbuKpW6wZfhHxcnt9+fczo1+0GPm34CFkwEuBQpZkZiEuO5EH4 Ei6kqwUq9ZW3Kwj3a3QVs49wH1Ip0zOfHmzfIEwZ5Wao6UHE6t7SgQDo YK82bQ==

sl.                     2553    IN      RRSIG   NSEC 7 1 3600 20211107073005 20211008063005 55940 sl. AV6F9AArVYP4RnPwZUtTXjGAS5n7szjXwYMMbnENHmkePmBI6utQza4x GiS2eAdAYP5kwK9EY4mJiDeyDYdCIwAUasg7DnWCKimHTJm595UkMEKu CWf6QYIeLQ2NONz6dJUTqCDJNs3UEza5HDI/Ys0MfP3TSfziUwvQnCfa AWZQNXrxEPBJ62bOKRItYhthp0PYz4FOj30MUl6h3l3XEbbwlniVjf9x 8A+oF+6+2Q0rf/eu+fdxEI1ifhXZXxX3cFH8CL9lakCwbWriaP8vigsQ TxsXlS8j4nxt+Z8Qut+Qig5CTJCXyzCqVmsR5SV61exkfp0Shlm4+20a xj6IXQ==


;; Query time: 33 msec

;; SERVER: 8.8.4.4#53(8.8.4.4)

;; WHEN: Thu Oct 21 11:51:53 EDT 2021

;; MSG SIZE  rcvd: 5806


You can *feel* how much longer this is than the `ANY sl.`.  But it also tells you, we said it was 43 bytes of a request, and it says that the response was *5806* bytes- or 135*times* as large- not 135% but 13502%.

 

That explains the utility of this for the DDoS Attacker.  Imagine a botnet with 1000 bots- small, sure.  Let's say it is attacking some home user or a small business with a 2Gb internet connection.  you need 2Mb average to saturate the connection... that's doable, especially now.   A lot of botnet compromised systems are not people who... spend the most on IT.   But imagine now they can amplify their bandwidth x 100! even x50 allows a modest botnet of small, not-well-connected computers or IoT devices to attack much larger targets. 

In the case that I have above, the attack is only targeting a home user  - well, a TalkTalk client in Bristol England.  it could be a corporate server or an end user. I can't tell.


What about my "Refused" response? Doesn't that still attack the target?  Yes, it does.   It's about the same length, so the amplification factor is 1x.  We're not helping, but it's not a waste for the attacker either.  Is there something more I could do? Yes. I could block that IP, at least on port 53(DNS).  I'm using fail2ban to do this automatically now, but I'll explain that in another post sometime. 




Additional Links

* https://blog.cloudflare.com/65gbps-ddos-no-problem/

* https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/ 



meta

  • © 2021 All Rights Reserved
  • First published: October 21, 2021
  • Edit 2021.10.21 style, spelling v10
  • Edit 2022/09/06 Re-styled for new blog 

Comments

Post a Comment

Popular posts from this blog

Fail2ban with VYOS API

Introduction I, like many people, found that I was getting a few failed ssh attempts per day. I looked at a root account facing the internet and found a little over 32000 failed attempts per day. Rest assured, these are low-skill attacks with a pretty low risk of compromise, but still, there are a few things that still makes me want to respond to it. Firstly, it's a lot of noise in the logs. It fills disks and makes it hard to see more dangerous attacks. Second, this confirms malicious intent. Maybe it's just a compromised box that is now part of a botnet, but you never know if it's going to be a platform for another attack. Finally, even though it's a low probability of compromise, there is still a chance. I know most of these attacks are checking for things like 10-year-old linksys WAPs with default passwords, but there is also the worst case out there, distributed brute force attacks and password spraying. My decision was to block this traffic, but then the next ques...
Read more

Super Raspberry

 There's a list called TOP500 , indexing the 500 most powerful (known) computers.  Obviously, the NSA's super secret computers aren't on the list.    This list has been around for many years, released every June and November.    Topping the list in June 2022 is the Frontier HPE CRAY EX235A.  This absolute beast runs 8,730,112 AMD cores, rated at 1,685.65 PFlop/s.   Let me rewrite that a few times:  1.6 Exaflots/second. 1685650Teraflops/s.  1685650000 Gigaflops/s. But I want to call your attention to an older version, published in July, 1997.   That year's #500 was SX-4/4, built by NEC for the Houston Area Research Center in the USA.  With it's 8GFlops/S, this nearly doubled November 1996's last place computer in the  Goodyear  Technical Center in Luxembourg, clocking in at 4.6GFLOPS.  This is quite a bit slower than the créme-de-la-créme of 25 years later.  It sure shows the march of progress....
Read more

Minecraft-FTB-Endeavour-Linux

  Minecraft-FTB-Endeavour-Linux #quicknote   #minecraft Quick note I was setting up FTB Endeavour, and the latest version gave me an error forge-1.16.5-36.2.2 could not be downloaded The solution was to download and run forge-1.16.5-36.2.2-installer.jar, and install it at ~/.ftba/bin or whatver your  *profile*json  file is located. meta © 2021 All Rights Reserved First published: October 31, 2021
Read more