DNS

DNS servers offer two possibilities for reflection. The first is a reflector simply sending a DNS reply in response to a spoofed DNS request. This form may be recognized because the reply will arrive at the victim from source port 53. Consequently, the victim can filter it out, but at some cost. First, this will impede the victim's own access to the DNS via external DNS servers. Probably the victim can cope with this by opening up holes in the filtering to provide access to a specific set of remote DNS servers, and reconfiguring their local DNS to send queries to them. Second, some DNS queries are made using a source port of 53 as well as a destination port of 53. If the victim provides DNS service, then any such incoming requests would be filtered out. However, by adding filtering on the QR bit in the DNS header [Mo87], such requests can be properly distinguished from the reflector replies.

The second form of DNS reflection concerns DNS servers that in turn recursively query other servers to resolve a request. If the victim is a name server for a particular zone, then the attacker can issue a stream of queries to a large number of name servers that will in turn cause those name servers to bombard the victim server with recursive queries. The queries needn't even be spoofed, which would enable the attacker to launch them in the presence of anti-spoof filtering, though this would reveal the slaves' locations to any monitoring or logging done at the reflectors. But if the queries are spoofed, then the attacker could even use the victim's address as the purported source, such that when the reflector DNS server supplies a reply of some form, that too goes to the victim, a form of amplification (though one that can be filtered out).

Note that caching at the reflector server does not help to ameliorate the attack; the attacker simply keeps changing the domain name used in the bogus query, forcing the reflector to go to the primary name server each time.

Summary: DNS reflection appears to be a serious threat for denial-of-service attacks on name servers. The full degree of the threat depends on whether enough servers support recursion that the second form of reflection is a true threat. Anecdotally, it appears that the answer is yes: a large number of servers do indeed support recursive queries. The only apparent solution to this threat appears to be to include filtering in name servers so that they will only process recursive queries coming from local addresses, coupled with filtering at the site's border to ensure that incoming packets with local source addresses are dropped.