There's a new species of Distributed Denial of Service (DDoS) attack targeting name servers, which could be called the "nonsense name" attack. It can wreak havoc on recursive and authoritative name servers alike, and some of our customers at Infoblox have fallen victim to it — but it's not always clear whether they were actually the targets.
The "nonsense name" DDoS attack works like this:
- An attacker chooses a zone to attack, say foo.example.
- A botnet controlled by the attacker generates random domain names in the zone, with nonsense-first labels, such as asdfghjk.foo.example and zxcvbnm.foo.example.
- The bots send many queries for those domain names to recursive name servers.
- Those recursive name servers, in turn, send queries to foo.example's authoritative name servers for those domain names.
- The authoritative name servers send responses saying that the domain names in question don't exist (in the DNS business, what's called an NXDOMAIN response).
- The recursive name servers relay that response to the original querier and cache the non-existence of the domain name.
- Lather, rinse, repeat.
If the attacker can generate queries quickly enough, the aggregate query rate will overwhelm the foo.example name servers. That's when the fun really starts:
- The bots continue sending queries for the generated domain names to recursive name servers.
- Now that the authoritative name servers have stopped responding, the recursive name servers take much longer to process each query. In the case of the BIND name server, the name server can wait 30 seconds and send dozens of (unanswered) queries before giving up.
- This uses up recursive query slots on the recursive name server, which eventually runs out, denying additional recursive queries — some of them legitimate.
When this happens, a BIND name server sends a message like the following to syslog:
Jan 21 14:44:00 ns1 named: client 192.168.0.1#1110: no more recursive clients: quota reached
At that point, the name server will refuse additional recursive queries, denying service to clients.
Who's the target?
In most cases, the organization running the authoritative name servers (in this example, those for foo.example) seems to bethe target. For example, some of the domain names in attacks we've seen are used by Chinese gambling sites. (Maybe someone is trying to exact revenge on the house for some tough losses?) However, the recursive name servers involved end up as collateral damage in the attack. Could they have actually been the targets?
We've seen some evidence of this. Some of the zones involved in attacks against our customers have mysteriously disappeared a day or two after the attack, indicating that they likely weren't in active use (and in fact were probably registered in a "Domain Tasting" scheme). The attackers could have deliberately registered these zones with slow or unresponsive name servers, so that resolution of domain names in the zone would take as long as possible.
Sign up for MIS Asia eNewsletters.