US-CERT has been alerted to an increase in distributed denial of service (DDoS) attacks using spoofed recursive DNS requests. These attacks are troublesome because all systems communicating over the internet need to allow DNS traffic. The attacks work in the following manner: a malicious attacker sends several thousand spoofed requests to a DNS server that allows recursion. The DNS server processes these requests as valid and then returns the DNS replies to the spoofed recipient (i.e., the victim). When the number of requests is in the thousands, the attacker could potentially generate a multi-gigabit flood of DNS replies. This is known as an amplifier attack because this method takes advantage of misconfigured DNS servers to reflect the attack onto a target while amplifying the volume of packets.
A recent survey conducted by the Measurement Factory, sponsored by the DNS appliance vendor InfoBlox, found that 75% of DNS servers they polled (roughly 1.3 million) allowed recursion. A similar study using a smaller sample size was conducted by the CERT Coordination Center (CERT/CC). It found 80% of DNS servers still enabled recursion. An organization could be used as a DNS recursion amplifier if its DNS server is misconfigured. Consequently, its DNS server could be misused in a DDoS attack against another organization. An organization could still be targeted by a DDoS attack from misconfigured recursive DNS servers even if it is not running a vulnerable name server.
This paper discusses DNS recursion, helps users understand more about potential targets and risks, outlines methods for protecting DNS servers, and provides best practices for configuring DNS servers.