Code Locket Menu

DNS Amplification Basics

Blog post created on 2018-02-04

PythonDDoSSecurity

DNS amplification used to be a very common technique to perform volumetric denial of service (DoS) attacks on a target machine. It relies on the fact that DNS queries are normally sent over UDP. UDP is a protocol that does not require a handshake or similar, like TCP, to initiate a connection. On the other hand, it simply requires the receiving machine to reply to the address specified in the initial request. If this address is spoofed to be the address of your target host, DNS servers would reply to the target, and if enough traffic is generated the target network would be saturated making the target machine unreachable.

Nowadays DNS amplification is still a relatively common vector but substantially harder to achieve due to many additional network security checks that have been implemented around both DNS server management and network traffic filtering.

DNS amplification relies on some simple concepts:

If you have all of the above you are most likely capable of setting up a DNS amplification attack! But how easy is it to perform DNS queries spoofing an IP address? It turns out it is actually extremely simple.

Scapy

Scapy is a (Python based) powerful interactive packet manipulation program. It can be used directly from the command line or it can be used as a library within your Python programs.

It essentially allows you to create arbitrary protocol packets, stack them in arbitrary orders (even ones that would not make sense), and directly manipulate any relevant headers. You can also build your own protocol support if necessary.

To perform a DNS amplification attack we need to create:

Converting this to actual code, we essentially get a very clean result:

from scapy.all import *

target     = "x.x.x.x" # Target host
nameserver = "y.y.y.y" # DNS server

ip  = IP(src=target, dst=nameserver)
udp = UDP(dport=53)
dns = DNS(rd=1, qdcount=1, qd=DNSQR(qname="isc.org", qtype=255))

request = (ip/udp/dns)

send(request)

The script above, once you replace the target and nameserver values with valid IP addresses, will send a single DNS query with a spoofed IP address to the relevant DNS server, which, in turn, will respond to the target machine. Of course for this to be sucesfull you would need to be on a network that does not perform agressive egress IP packet filtering.

dig

We can of course achieve the same result by using dig, the de facto standard Linux DNS querying utility. To perform a DNS amplification request to a target machine with dig, however, we need to be able to configure one of our machine's network interfaces to be listening for our target IP. This is needed as dig does not allow us to alter the IP packet directly, but it does allow us to send the DNS query from a specific interface, and if that interface is configured with the target IP address, the operating system will take care of the rest.

The resulting command looks like this:

dig ANY isc.org -b x.x.x.x @y.y.y.y

With x.x.x.x being the target IP and y.y.y.y being the DNS server.

And there you have it, the basics of a DNS amplification request.