Wednesday, April 26, 2017

Monday tech: PRSD DDoS attack

Hi everyone
Today I'm going to talk about a nice variation of DDoS that I recently encountered: PRSD DoS - Pseudo Random Sub Domain attack, also know as "water torture attack".
This DDoS attack sends multiple DNS queries of known domains (such as google.com) but with invalid ransdom sub-domains (such as gfhadffgas.google.com).

What makes this attack cool?
The purpose of this attack is to stress the authoritive DNS servers of the target domain (google.com), but it is also forwarded to the ISP, and it in turn resolve your query using the DNS resolver, and it can also crash in this attack.

Furthermore, this attack is not mitigated in most of the DNS servers out there.
What can you do? Block IPs that send too many failed DNS queries (reponses of SERVFAIL) will do the trick. In addition you can obviously increse hardware resources of DNS servers or limit the number of concurrent requests which will also temporarly bring the server down.

In conclusion: This is a very simple yet effective attack, that exploits the iterative and naive nature of the DNS protocol. DNS DDoS attacks are on the raise, as we wintessed that even the large websites (Twitter, Spotify and others) were hit by it 6 months ago in the notorious attack against the Dyn DNS provider company, that included tens of millions of zomies that were controled by multiple malwares, including the famous Mirai bot (https://techcrunch.com/2016/10/21/many-sites-including-twitter-and-spotify-suffering-outage/).
We sure are going to so more and more DNS applicative attacks in the future, as it is usually easier to bring down a DNS server comparing to webservers of very large websites.

Have a great day