Try in Splunk Security Cloud

Description

DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to ANY queries. This Analytic Story can help you detect attackers who may be abusing your company’s DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • Last Updated: 2016-09-13
  • Author: Bhavin Patel, Splunk
  • ID: e8afd39e-3294-11e6-b39d-a45e60c6700

Narrative

The Domain Name System (DNS) is the protocol used to map domain names to IP addresses. It has been proven to work very well for its intended function. However if DNS is misconfigured, servers can be abused by attackers to levy amplification or redirection attacks against victims. Because DNS responses to ANY queries are so much larger than the queries themselves–and can be made with a UDP packet, which does not require a handshake–attackers can spoof the source address of the packet and cause much more data to be sent to the victim than if they sent the traffic themselves. The ANY requests are will be larger than normal DNS server requests, due to the fact that the server provides significant details, such as MX records and associated IP addresses. A large volume of this traffic can result in a DOS on the victim’s machine. This misconfiguration leads to two possible victims, the first being the DNS servers participating in an attack and the other being the hosts that are the targets of the DOS attack.
The search in this story can help you to detect if attackers are abusing your company’s DNS infrastructure to launch DNS amplification attacks causing Denial of Service to other victims.

Detections

Name Technique Type
Large Volume of DNS ANY Queries Reflection Amplification Anomaly

Reference

source | version: 1