Difference between revisions of "Amplification attack"

From Hackepedia
Jump to navigationJump to search
Line 6: Line 6:
 
[[DNS]] servers are often used for amplified attacks.  Especially when they are recursing for everyone a lot of data can be amplified out of their cache.
 
[[DNS]] servers are often used for amplified attacks.  Especially when they are recursing for everyone a lot of data can be amplified out of their cache.
  
 +
Word has it that Akamai has turned off ANY replies on their DNS servers.
  
 
== IPv4 Broadcast Amplifiers ==
 
== IPv4 Broadcast Amplifiers ==

Revision as of 10:24, 28 March 2013

An amplification attack usually uses spoofing of a target to an amplifier. This amplifier somehow increases the return packet by a certain factor.


DNS Amplifiers

DNS servers are often used for amplified attacks. Especially when they are recursing for everyone a lot of data can be amplified out of their cache.

Word has it that Akamai has turned off ANY replies on their DNS servers.

IPv4 Broadcast Amplifiers

Smurf used IPv4 ICMP (for UDP see fraggle) directed at broadcast addresses to amplify an attack. Due to the nature of IPv4 broadcasting a lot of hosts would respond to one single ICMP echo request.


Solutions to prevent Amplification attacks

  • UDP and ICMP are stateless protocols so they don't require a handshake to create a state between two hosts. A handshake uses large sequence numbers that are randomized to prevent an attacker from guessing the replies to a spoofed target.
  • spoofing should be filtered at routers on egress.
  • Perhaps turn UDP off on DNS? Other good ideas exist, like using tokens/cryptography.
  • design protocols so that they don't reply large amount of data upon a single query via stateless protocls such as UDP.