DNS Flooder: A Reflection Toolkit

Highlights from a Prolexic DDoS Threat Advisory

2014 AKAMAI | FASTER FORWARD
TM
What is DNS Flooder?
In mid-2013, the DNS Flooder Toolkit v1.1 was
leaked on popular hack forums
The toolkit uses a new, popular method of crafting
large DNS resource records
Malicious actors can amplify responses by a factor of
50 or more per DNS request, and may customize
their own DNS records, adding words and comments

2014 AKAMAI | FASTER FORWARD
TM
DNS Flooder v1.1 Toolkit Screenshot
2014 AKAMAI | FASTER FORWARD
TM
DNS Flooder: DDoS Attack Threat
DNS Flooder is very popular
The amplified nature of the attack means it only
needs a few servers to achieve a large DDoS flood
Because of the reflection techniques DNS Flooder
uses, attackers are fully anonymous and the origin of
the attack is very difficult to pinpoint
Several attacks have already been launched against
Akamai customers

2014 AKAMAI | FASTER FORWARD
TM
Attack Overview
One attack against an Akamai customer using the
DNS Flooder toolkit lasted approximately four hours
Prior to the use of the tool, the attackers set up DNS
servers for their own use, building their own botnet
without the need for infection
This method can also inject messages into the attack
payload

2014 AKAMAI | FASTER FORWARD
TM
DDoS Flooder Attack Statistics
San Jose London Hong Kong Washington
Peak bits per second
(bps)
5.00 Gbps 80.00 Gbps 5.00 Gbps 20.00 Gbps
Peak packets per second
(pps)
400.00 Kpps 7.50 Mpps 400.00 Kpps 2.00 Mpps
Peak traffic values complied from Akamai scrubbing centers during a
DNS Flooder campaign
2014 AKAMAI | FASTER FORWARD
TM
How Does DNS Flooder Work
The toolkit uses a DNS reflection attack to
amplify DDoS bandwidth by a factor of 50 or
more
The attacker sends a vulnerable DNS server
a DNS any resource record query
The any resource record query returns all records of all types
stored on the server
Can exceed 4,000 bytes
By sending the request with a fake source
IP, the big any resource record is reflected to
the target

2014 AKAMAI | FASTER FORWARD
TM
How DNS Flooder Works, cont.
DNS Flooder crafts its IP header and DNS resource
header manually
Requires root access on the attacking computer
Allows nuances of DNS to be exploited to ensure
maximum possible response size
Falsifying the IP address at the source makes the
original attack nearly untraceable the requests are
totally anonymous
2014 AKAMAI | FASTER FORWARD
TM
Threat Advisory: NTP DNS Flooder toolkit
Download the threat advisory, DNS Flooder v1.1
This DDoS threat advisory includes:
Indicators of the use of the DNS Flooder toolkit
Analysis of the source code
Example query created by the toolkit
Sample payload
Who is believed to be behind these attacks
The SNORT rule and target mitigation using ACL entries
Statistics and payloads from two observed DNS Flooder
campaigns against Akamai clients
The full source code of DNS Flooder


2014 AKAMAI | FASTER FORWARD
TM
About Prolexic (now part of Akamai)
We have successfully stopped DDoS attacks for more
than a decade
Our global DDoS mitigation network and 24/7 security
operations center (SOC) can stop even the largest
attacks that exceed the capabilities of other DDoS
mitigation service providers