Howto:Avoid DNS Amplification Attacks: Difference between revisions

From innovaphone wiki
Jump to navigation Jump to search
Line 34: Line 34:
====DNS Forwarding in the local DNS Server====
====DNS Forwarding in the local DNS Server====


Another point vulnerable to DNS amplification attack is the local DNS Server of the innovaphone Gateway, that can be enabled under ''Services/DNS/Hosts'' with the check mark ''Enable DNS Server''. In this case make sure to allow the access to the DNS server on this host only from authorised networks.
Another point vulnerable to a DNS amplification attack is the local DNS Server of the innovaphone Gateway, that can be enabled under ''Services/DNS/Hosts'' with the check mark ''Enable DNS Server''. In this case make sure to allow the access to the DNS server on this host only from authorised networks.


===Resolution===
===Resolution===

Revision as of 15:57, 17 May 2018

Applies To

This information applies to all innovaphopne platforms

  • V8 hotfix 40 and newer
  • V9 hotfix 15 and newer
  • V10 and newer


More Information

Problem Details

innovaphone devices can be used as router (between their local ETH interfaces and/or PPP interfaces). When NAT is enabled, the device will forward incoming DNS requests from the local side to the external side and relay back the answer to the requesting client. This is convenient, as clients in the local network can always be configured with the router as DNS, regardless of what DNS is actually used.

Avoid DNS Amplification Attacks - overview.png

Known Problems

The function can be exploited for denial of service (DOS ) attacks. A malicious client (attacker) would send a DNS request to the DNS forwarder (the innovaphone device acting as a router in this case) with a faked IP source address (the address of the victim). The request would be forwarded to the DNS server and the response forwarded to the victim.

Avoid DNS Amplification Attacks - attack.png

As DNS requests are usually very short but DNS responses can be lengthy, this allows an attacker to flood a huge amount of data to the victim while sending only a minor amount of data itself. Also, the IP source address of the attacker is not seen by the victim, as the DNS responses originate from the router misused for the attack.


DNS Forwaring in the NAT Module

To avoid this type of attack, innovaphone devices will do DNS forwarding only if NAT is enabled globally on the device (that is, Enable NAT is set in IP4/NAT). DNS requests are then only accepted (and forwarded) from those interfaces which are not marked as Include Interface in NAT in IP4/ETHx/NAT (or Exclude interface from NAT for PPP interfaces is enabled).

In the scenario shown above, NAT would be enabled globally, the interface that connects to the external network would have Include Interface in NAT enabled and the interface that connects to the local network would not have it enabled. In this scenario, DNS requests from the external network would not be relayed and thus the attack would not be possible.

A common misconfiguration though is when a device that should not do NAT has Enable NAT enabled globally, but no interfaces marked as Include Interface in NAT. This way, no NAT would happen (as no interface has NAT enabled). Still, as NAT is enabled globally, the NAT forwarding would happen on all interfaces. Such a device is vulnerable to a DNS Amplification Attack!

DNS Forwarding in the local DNS Server

Another point vulnerable to a DNS amplification attack is the local DNS Server of the innovaphone Gateway, that can be enabled under Services/DNS/Hosts with the check mark Enable DNS Server. In this case make sure to allow the access to the DNS server on this host only from authorised networks.

Resolution

First of all install the recent firmware (check the versions stated in the Applies to section), cause older firmware version are vulnerable, even if the configuration is correct.

When NAT is globally enabled, make sure you enable NAT for all interfaces that are exposed to the public so as to avoid DNS forwarding on these interfaces.

Configurations where NAT is enabled globally but no NAT shall be done towards the interface that is connected to the external network (e.g. because NAT shall be done towards PPP interfaces) are not recommended as there is no way to protect the external interface from DNS DOS attacks. Then again, such configuration is rarely - if ever - useful anyway.

Related Articles