notes blog about

DDoS attacks

Amplification attacks

$ dig @ns1.isc.org. any isc.org. +norec +dnssec | grep -i size
;; MSG SIZE  rcvd: 3390

Reflection attacks

Combination attacks

Cache poisoning

  1. The attacker has prior knowledge of the target domain and sends a query to the recursive DNS server for a name that does not exist, such as q0001xxx.example.com
  2. Because this is a name that does not exist, the recursive DNS server must traverse the DNS namespace to find it.
  3. The attacker can beat the legitimate NXDOMAIN response from the authoritative name server, by sending a lot of spoofed responses that look like they are coming from the legitimate example.com authoritative name server. In the spoofed response, attacker claims www.example.com is the NS record of the domain, to trick the recursive name server into accepting www.example.com and its IP address.
  4. By the laws of probability, the attacker’s spoofed response may be accepted by the recursive server, and the bad answer www.example.com is now stored in its cache.
  5. Unsuspecting client queries for the name www.example.com A record.
  6. The recursive server provides the answer from the now-poisoned cache with the forged answer from the attacker.

See Cloudflare’s article for more.

Data exfiltration via DNS tunneling

DNS tunneling allows for

In the last two cases, clients evade detection by breaking data down into query-sized chunks, disguising sensitive data as DNS queries, and sending them to malicious DNS servers on the far end who can unpack these queries and reconstruct the data.

Tools

Detection using DNS server logs

Source: Using Splunk to detect DNS tunelling

Payload analysis

FQDN entropy

$ shannon < /tmp/hostnames.txt
2.646439	google.com
2.646439	golang.org
2.721928	amazon.com
4.016876	asdlfkjasdflwerjka.t1.security.local

FQDN length

Unusual records types

Traffic analysis

Volumes of DNS requests

Geographic location

More