DDoS Attack Threats | DNS Flooder Attack Toolkit | Akamai Presentation - PowerPoint PPT Presentation

View by Category
About This Presentation

DDoS Attack Threats | DNS Flooder Attack Toolkit | Akamai Presentation


| By exploiting vulnerable DNS servers – or setting up their own – malicious actors can launch powerful DDoS reflection attacks using the new DNS Flooder cybercrime toolkit. The toolkit exploits nuances of the DNS protocol to amplify attacks by a factor of 50 or more, while making the attacker almost entirely anonymous. Find out more about this DDoS threat in the full Prolexic DNS Flooder Threat Advisory, – PowerPoint PPT presentation

Number of Views:207
Slides: 11
Provided by: prolexickg
Category: Other
Tags: ddos | ddos_attack


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: DDoS Attack Threats | DNS Flooder Attack Toolkit | Akamai Presentation

DNS Flooder A Reflection Toolkit
  • Highlights from a Prolexic DDoS Threat Advisory

What is DNS Flooder?
  • In mid-2013, the DNS Flooder Toolkit v1.1 was
    leaked on popular hack forums
  • The toolkit uses a new, popular method of
    crafting large DNS resource records
  • Malicious actors can amplify responses by a
    factor of 50 or more per DNS request, and may
    customize their own DNS records, adding words and

DNS Flooder v1.1 Toolkit Screenshot
DNS Flooder DDoS Attack Threat
  • DNS Flooder is very popular
  • The amplified nature of the attack means it only
    needs a few servers to achieve a large DDoS flood
  • Because of the reflection techniques DNS Flooder
    uses, attackers are fully anonymous and the
    origin of the attack is very difficult to
  • Several attacks have already been launched
    against Akamai customers

Attack Overview
  • One attack against an Akamai customer using the
    DNS Flooder toolkit lasted approximately four
  • Prior to the use of the tool, the attackers set
    up DNS servers for their own use, building their
    own botnet without the need for infection
  • This method can also inject messages into the
    attack payload

DDoS Flooder Attack Statistics
  San Jose London Hong Kong Washington
Peak bits per second (bps) 5.00 Gbps 80.00 Gbps 5.00 Gbps 20.00 Gbps
Peak packets per second (pps) 400.00 Kpps 7.50 Mpps 400.00 Kpps 2.00 Mpps
Peak traffic values complied from Akamai
scrubbing centers during a DNS Flooder campaign
How Does DNS Flooder Work
  • The toolkit uses a DNS reflection attack to
    amplify DDoS bandwidth by a factor of 50 or more
  • The attacker sends a vulnerable DNS server a DNS
    any resource record query
  • The any resource record query returns all records
    of all types stored on the server
  • Can exceed 4,000 bytes
  • By sending the request with a fake source IP, the
    big any resource record is reflected to the

How DNS Flooder Works, cont.
  • DNS Flooder crafts its IP header and DNS resource
    header manually
  • Requires root access on the attacking computer
  • Allows nuances of DNS to be exploited to ensure
    maximum possible response size
  • Falsifying the IP address at the source makes the
    original attack nearly untraceable the requests
    are totally anonymous

Threat Advisory NTP DNS Flooder toolkit
  • Download the threat advisory, DNS Flooder v1.1
  • This DDoS threat advisory includes
  • Indicators of the use of the DNS Flooder toolkit
  • Analysis of the source code
  • Example query created by the toolkit
  • Sample payload
  • Who is believed to be behind these attacks
  • The SNORT rule and target mitigation using ACL
  • Statistics and payloads from two observed DNS
    Flooder campaigns against Akamai clients
  • The full source code of DNS Flooder

About Prolexic (now part of Akamai)
  • We have successfully stopped DDoS attacks for
    more than a decade
  • Our global DDoS mitigation network and 24/7
    security operations center (SOC) can stop even
    the largest attacks that exceed the capabilities
    of other DDoS mitigation service providers
About PowerShow.com