DNS Reflection Attacks

Some of our clients will already be aware of the problems we’ve had recently with a sustained DNS reflection attack, but we thought we’d explain here what happened and what a DNS reflection attack is!

Over the last 3 weeks one of our servers fell foul to a DNS reflection attack, it hasn’t been pretty and a lot of work has gone on behind the scenes to stop the attack and prevent it from happening in future.

The problem began because we’ve always allowed recursive DNS queries through our nameservers. Essentially this meant that if we get a request about a domain name we didn’t  just reply with “we don’t know, please go and ask someone that does”, we’d go away and look up the answer from somewhere else and then reply with all the information requested (we were just kind like that!).

These request to look something up are tiny, anywhere between 10 and 50 characters of text which in the internet world is nothing, but when a certain type of DNS request is received we would return every piece of information about a domain and it’s DNS. As you can imagine that can be a lot of data (imagine how much data is in a DNS zone for someone like Google!).

This doesn’t sound too bad so far, somebody requests something gets a lot of data back, so be it? Not quite, crucially the requesting party sends the request from a fake IP address, so when we sent the very large reply we actually sent it to a victim that is being flooded with information they didn’t request (the attacker gets no response at all – and generally doesn’t care). It’s like signing someone you know up for every junk mail you can think of and watching the postman struggle to their door!

We will no longer send the large packet of data in response to a request and will only send response information about domains we host, this won’t affect your sites but will make our servers more efficient and less susceptible to this type of attack.

Making the above change wasn’t quite enough, the attackers continued to send requests to our IP addresses (they couldn’t tell we weren’t replying because they never get the replies), so we slowly migrated everything off those old IP addresses and closed them down.

We’ve got more changes coming up in the coming months with DNS so watch this space!


Leave a Reply

Your email address will not be published. Required fields are marked *