Akamai's Prolexic Security Engineering and Research Team (PLXsert) issued an advisory this morning warning of a new technique bad actors are using to launch DNS amplification attacks.
Amplification attacks generate large response packets with relatively small requests. Attackers create large DNS TXT (text) records to increase amplification, magnifying the impact of a DDoS attack. Several campaigns observed since Oct. 4, 2014 contain fragments of text taken from press releases issued by the White House, according to the advisory, available here.
PLXsert suspects the DNS flooder tool continues to be used in these campaigns.
- For a closer look at DNS attacks, visit our new StateoftheInternet site
"By crafting their own TXT records, attackers can amplify responses as desired and direct this traffic to targeted sites, including -- but not limited to -- DNS servers," the advisory said. "The amplified traffic response could eventually overwhelm the targeted site and render it unable to respond to any requests."
This isn't the first time attackers have used large TXT records in reflection attacks. Previous victims of this technique included isc.org and many .gov sites. The new twist is that attackers are crafting the TXT records to provide the largest response size possible, thereby amplifying the impact.
The TXT records in the October 2014 attacks came from the guessinfosys.com domain.
Anatomy of the attack
- Peak bandwidth: 4.3
- Gigabits per second (Gbps)
- Attack vectors: DNS reflection and amplification
- Source: port(s): 53
- Destination port(s): 80, random
The main targets are the entertainment, education and high-tech consulting sectors.
Here are some of the sample payloads PLXsert intercepted:
21:38:55.972524 IP X.X.X.X.53 > X.X.X.X.52967: 5856 13/0/3 A 18.104.22.168, NS ns71.domaincontrol.com., NS ns72.domaincontrol.com., SOA, MX mailstore1.secureserver.net. 10, MX smtp.secureserver.net. 0, TXT "President Obama is taking action to help ensure opportunity for all Americans. President Obama Signing <snip>
13:43:36.094522 IP X.X.X.X.53 > X.X.X.X.52506: 11532 10/13/16 TXT "Presidenftxt Obama is taking action <snip> ", TXT[|domain]
13:43:36.094854 IP X.X.X.X.53 > X.X.X.X.5926: 35408 10/13/16 TXT "<snip> President also outlines" " the details about the transmission and treatment of Ebola", TXT[|domain]
guessinfosys.com. 85964 IN TXT "In a viddeo frIn a video released this morningeleased this morningIn a video released this morningIn a video released this morningIn a video released this morningIn a video released this morningIn a video released this morningIn a video released this morn" "ingIn a video released this morningIn a video released this morningIn a video released this morningIn a video released this morning"
guessinfosys.com. 85964 IN TXT "Presidenftxt Obama is taking action to help ensure opportunity for all Americans. President Obama Signing Legislation My Front Porch Americans across thePresident Obama is taking action to help ensure opportunity for all Americans. President Obama Signing" " Legislation My Front Porch Americans across the"
Some DNS servers will attempt to retry the response using TCP, but when the request is sent to the target host, no transfer will occur and the attempt will fail.
DDoS cloud-based protection services such as the one provided by Akamai are recommended.