DNS amplification attacks rise 4 800% year-on-year

Posted By



January 6, 2020

DNS amplification attacks are soaring in number, growing 4 788% from Q3 2018 to Q3 2019. This was one of the findings of Nexusguard's Q3 2019 Threat Report, which revealed that domain name system security extensions (DNSSEC) remain the main driver of growth behind these attacks.
DNS amplification attack is a type of DDoS attack in which the bad actor exploits vulnerabilities in domain name system or DNS servers to turn initially small queries into much larger payloads, which are used to bring down the victim's servers.

Nexusguard analysts have also detected a sharp and concerning rise in TCP SYN Flood attacks. This type of attack happens when a hacker floods a system with SYN requests in order to overwhelm the target and make it unable to respond to new and genuine connection requests. It forces all of the target server's communications ports into a half-open state.

“This is not a new method, but findings indicate that techniques have grown in sophistication and have emerged as the third most used attack vector, behind DNS amplification and HTTP flood attacks,” says Nexusguard.

Attackers have long favoured DDoS attacks that amplify damage beyond the resources required, but suitable reflectors or amplifiers are not as widely available for DNS amplification and memcached reflection attacks, the researchers said.

In contrast, any server with an open TCP port is an ideal attack vector, and such reflectors are widely available and easy to access to cause SYN Flood reflection attacks.

As a result, SYN Flood reflection not only hits targeted victims, but also can impact innocent users, including individuals, businesses, and other organisations. These victims end up having to process large volumes of spoofed requests and what appear to be legitimate replies from the attack target. This means that bystanders can incur hefty fees for bandwidth consumed by junk traffic, or even suffer from secondary outages.

Juniman Kasman, CTO for Nexusguard, says: "Our research findings revealed that even plain-vanilla network attacks could be turned into complex, stealthy attacks leveraging advanced techniques, from the bit-and-piece attacks, also known as carpet bombing, we identified last year, to the emergence of Distributed Reflective DoS (DRDoS) attacks in the third quarter.”

DRDoS attacks happen when attackers send an overwhelming amount of traffic to amplifiers, which act as reflectors and redirect traffic to a target. They differ from conventional DoS attacks because traffic isn't sent directly to the victim.

Kasman says telcos and enterprises must take note because while these tactics don't cause notable strain on network bandwidth, which may go undetected, they are powerful enough to impact their service.

“Advanced mitigation techniques are required to address these threats," he adds.

The report also revealed that 44% of 2019 Q3 attack traffic came from botnet-hijacked Windows OS computers and servers. The second largest source of traffic came from iOS-equipped mobile devices.

The total number of attacks has mirrored patterns observed in 2019, with Q1 seeing the highest number attacks and numbers dropping over Q2 and Q3. While attack volume has decreased since Q2 2019, levels grew more than 85% compared to the same quarter last year. More than half of all global attacks originated in China, Turkey or the US.

Nexusguard's quarterly DDoS threat research gathers attack data from botnet scanning, honeypots, CSPs and traffic moving between attackers and their targets.

Read the full Q3 2019 Threat Report for more details.