{"id":675,"date":"2018-03-27T18:45:16","date_gmt":"2018-03-27T18:45:16","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=675"},"modified":"2020-05-06T10:27:07","modified_gmt":"2020-05-06T17:27:07","slug":"are-you-ready-to-counter-udp-based-amplification-attacks","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/company\/are-you-ready-to-counter-udp-based-amplification-attacks\/","title":{"rendered":"Are You Ready to Counter UDP-Based Amplification Attacks?"},"content":{"rendered":"

DNS was identified as a key vulnerability by US-CERT (United States Computer Emergency Response Team) of the Department of Homeland Security (DHS) in the UDP-based amplification attacks. The DHS has become the latest premier security agency to realize the DNS vulnerability. You can read more about all protocols and associated vulnerabilities in their\u00a0security advisory<\/a>.<\/p>\n

Advanced Persistent Threats (APTs) and malware rely on the Domain Name System (DNS) at various stages of the cyber kill chain to infect devices inside the network, propagate malware and exfiltrate data. According to\u00a0Cisco 2016 Annual Security Report<\/a>, 91% of malware uses DNS, during one or more phases in the cyber kill chain, to carry out the campaign, and the longer it takes to detect malware, the higher the cost of damage.<\/p>\n

But, many organizations aren\u2019t ready to deal with DNS-based attacks<\/h2>\n

According to a\u00a0global survey<\/a>\u00a0of over 1,000 security and IT Professionals worldwide conducted by Dimensional Research, 86% of DNS solutions failed to first alert teams of an occurring DNS attack, and nearly one-third of professionals doubted their company could defend against the next DNS attack.<\/p>\n

The risk of a DNS-based attack increases exponentially with an increasingly mobile and nomadic workforce, where there are a high number of employees working from multiple and remote locations. This means that the traditional security you use might not be able to provide all the benefits your secure internal network might provide. Whether your DNS is in your network or hosted in the cloud, DDoS attacks can be quite disruptive.<\/p>\n

Now the alarm bells are going off in your mind, right?<\/em><\/strong><\/p>\n

The combination of the fact that DNS is a commonly accepted exploited vector and the fact that many organizations are not effectively addressing the threat, presents a challenge. Fortunately, Infoblox can help address this gap, which we at Infoblox call the DNS Security Gap. Infoblox has a solution that can help protect the\u00a0integrity of your network<\/a>\u00a0by helping you detect and protect against DNS attacks cited by the DHS security advisory. We call that product\u00a0Advanced DNS Protection (ADP)<\/a>.<\/p>\n

It helps to understand what UDP-based amplification attack means, best practices to counter it, and how Infoblox approaches this issue.<\/p>\n

The Break Down of UDP-Based Amplification Attacks<\/h2>\n

The DHS advisory summarizes the attack in the following words:\u00a0\u201cA distributed reflective denial-of-service (DRDoS)<\/strong>\u00a0is a form of distributed denial-of-service (DDoS) attack that relies on publicly accessible UDP servers and bandwidth amplification factors (BAFs) to overwhelm a victim\u2019s system with UDP traffic.\u201d\u00a0 The critical element in the DRDoS is the reflective nature of the attack with an amplification of the response. It is important to understand what a reflective attack is.<\/p>\n

What is a Reflective Attack?<\/h2>\n

In\u00a0DNS Security for Dummies<\/a>, authored by Joshua Kao, Robert Nagy, and Cricket Liu, the authors explain the reflection attack:<\/p>\n

A reflection attack sends queries that look like they came from the victim of the attack. The response (often a large, amplified answer<\/strong>) is sent to the victim, who never asked, and the amount of the response traffic could potentially overwhelm the victim\u2019s network.<\/em><\/p>\n

How is a Reflective Attack Implemented?<\/h3>\n

In a reflection attack, an attacker sends a query to a recursive name server with a spoofed source IP address. Instead of his real IP address, he places the target (victim) IP address as the source IP address. The recursive name server does the legwork, retrieves the answer to the query from the authoritative name server, and sends the answer to the unsuspecting victim.<\/p>\n

Stopping Reflection Attacks<\/h2>\n

DNS Security for Dummies<\/strong><\/a>\u00a0identifies multiple strategies and tools to detect and prevent DNS attacks.<\/p>\n

According to the authors of DNS Security for Dummies, a strong mitigation solution will need to have the following capabilities:<\/p>\n