Nonesense Name Attacks Are A Serious Concern For Sys Admins
- Category: DDoS
- Author: Admin
- June 05,2015
As if data centers and server administrators didn’t have enough to worry about when it comes to the security of their installations, yet another serious problem has surfaced. It’s a type of DDoS attack being called the “Nonsense Name” attack, and most servers are at risk because it targets name servers.
How It Works
The apparent goal of a Nonsense Name attack is to target authoritative name servers for a DNS zone, by overwhelming them with requests from recursive name servers. The process works this way:
- A bot (or network of bots) creates a large number of nonsense domains in the target zone to query. If the attack is being launched against domain.zone, for example, it will generate abcde.domain.zone, fghij.domain.zone, klmno.domain.zone and so on, and then send queries for all of them to recursive name servers.
- The recursive name servers will, as is their job, send each query on to the authoritative name servers for domain.zone, which then naturally return an NXDOMAIN response (meaning the names being queried don’t exist) to the recursive servers.
- If the queries keep coming fast enough, eventually the authoritative name servers will stop answering them. That in turn clogs up the recursive name servers making the requests, and they run out of query slots. At that point, the recursive servers will simply refuse all new queries, even legitimate ones. In effect, the server is completely stopped from resolving client requests.
Even if the goal is to hit authoritative name servers, all of the recursive name servers involved are victimized as well.
Dealing with a Nonsense Name Attack
The first step in handling this new threat is to be aware of what to look for. When a recursive name server begins sending the message “no more recursive clients; quota reached” to syslog, you should immediately suspect that the lack of free recursive query slots is due to Nonsense Name. Those syslog messages will contain the IP addresses making the queries, so if they look suspicious you can quickly exclude them by using an access control list.
If you’re not sure about the IPs, things get more complicated. The best approach is using the RPZ (response policy zone) function in BIND to tell the name servers not to send any queries involving the affected zone. You would set up a rule that looks like this:
*.domain.zone.the.rpz.zone IN CNAME .
and then set the qname-wait-recurse option in BIND to “no.” After that, anyone querying a domain in domain.zone would automatically receive an NXDOMAIN response from the recursive server, and the authoritative name servers would never get involved at all.
For recursive name servers which don’t run BIND (or haven’t been updated to BIND 9.1), the best option is to create an empty, “dummy” zone to substitute for the real domain.zone. Label it as the authoritative name server for the zone, and any queries will then get the NXDOMAIN response.
Of course, these are both temporary changes; once the attack is over, you’ll need to set things back the way they were in order for domain resolution to resume.
In the near future, the Internet Systems Consortium is planning to release two new options for BIND name server configuration, which will automatically limit queries like the ones created by Nonsense Name attacks. Until then, the above fixes should limit the nonsense your name servers may face.