Open DNS resolvers can be used to recursively query authoritative name servers.  In fact, a list of open resolvers can be found at http://openresolverproject.org/.  Further, Network Time Protocol (NTP) servers with "monlist" enabled allow a host to query the last 600 connections who have connected to that server.  Knowing this, an attacker (possibly using a bot) can send a DNS request using a source address that is spoofed as the IP address of the victim and the open resolver will send all the responses to the victim.  See the figure below for a pictoral description of this:

Open Resolver

While this is a serious problem, what's worse is that an attacker could use not only one bot to attack the victim but rather an entire army of bots (making up a "botnet") to each individually attack the victim using this same method.  The figure below shows this scenario:

Botnet Attack

The following screen capture shows two responses from DNS requests to cpsc.gov.  The left shows a closed resolver (small response) while the right shows an open resolver (large response).  This shows that an attacker can use an open resolver to achieve a large response and overwhelm the victim.

Packet Capture

 

F5 Security Operations Center (SOC) expert researcher Damien Rocha shows some very interesting details about many recent DNS attacks.  These include:

  • Open Resolver list has not changed much over the past several months
  • Many attackers use UDP port 4444
  • Bots are a majority of always-on devices: Routers, DVRs, etc.
  • Open resolvers capable of NTP amplification using "monlist"
  • NTP packets in 451B-600B range
  • Attack durations ~30min, ~60min, ~90min:  Indicates paid service

 

With all these research points, the SOC listed a series of recommended actions to defend against these attacks:

  • Utilize Geolocation blocking
  • Blacklist known open resolvers
  • Alert on signatures (src port 53 & dst port 4444)

 

 

Related Resources:

iRule to protect against DNS amplification attacks