Howto:Avoid DNS Amplification Attacks
This information applies to all innovaphopne platforms
- V8 hotfix 40 and newer
- V9 hotfix 15 and newer
- V10 and newer
innovaphone devices can be used as router (between their local ETH interfaces and/or PPP interfaces). When NAT is enabled, the device will forward incoming DNS requests from the local side to the external side and relay back the answer to the requesting client. This is convenient, as clients in the local network can always be configured with the router as DNS, regardless of what DNS is actually used.
The function can be exploited for denial of service (DOS ) attacks. A malicious client (attacker) would send a DNS request to the DNS forwarder (the innovaphone device acting as a router in this case) with a faked IP source address (the address of the victim). The request would be forwarded to the DNS server and the response forwarded to the victim.
As DNS requests are usually very short but DNS responses can be lengthy, this allows an attacker to flood a huge amount of data to the victim while sending only a minor amount of data itself. Also, the IP source address of the attacker is not seen by the victim, as the DNS responses originate from the router misused for the attack.
DNS Forwarding in the NAT Module
To avoid this type of attack, innovaphone devices will do DNS forwarding only if NAT is enabled globally on the device (that is, Enable NAT is set in IP4/NAT). DNS requests are then only accepted (and forwarded) from those interfaces which are not marked as Include Interface in NAT in IP4/ETHx/NAT (or Exclude interface from NAT for PPP interfaces is enabled).
In the scenario shown above, NAT would be enabled globally, the interface that connects to the external network would have Include Interface in NAT enabled and the interface that connects to the local network would not have it enabled. In this scenario, DNS requests from the external network would not be relayed and thus the attack would not be possible.
A common misconfiguration though is when a device that should not do NAT has Enable NAT enabled globally, but no interfaces marked as Include Interface in NAT. This way, no NAT would happen (as no interface has NAT enabled). Still, as NAT is enabled globally, the NAT forwarding would happen on all interfaces. Such a device is vulnerable to a DNS Amplification Attack!
First of all install the recent firmware (check the versions stated in the Applies to section), cause older firmware version are vulnerable, even if the configuration is correct.
When NAT is globally enabled, make sure you enable NAT for all interfaces that are exposed to the public so as to avoid DNS forwarding on these interfaces.
Configurations where NAT is enabled globally but no NAT shall be done towards the interface that is connected to the external network (e.g. because NAT shall be done towards PPP interfaces) are not recommended as there is no way to protect the external interface from DNS DOS attacks. Then again, such configuration is rarely - if ever - useful anyway.
DNS Forwarding in the DNS Server
Another point vulnerable to a DNS amplification attack is the local DNS Server of the innovaphone Gateway, that can be enabled under Services/DNS/Hosts with the check mark Enable DNS Server.
Unfortunately, there is no practical solution for preventing a DNS Amplification Attack. This is a weakness of the DNS protocol and all DNS server implementations suffer from it. Therefore, you need to to make sure that the DNS server can only be reached from trusted networks. Since attackers will most probably be located in the internet, it is usually sufficient to inhibit all access to the DNS from the internet. As a result, the DNS Server on innovaphone devices can not be used as your official external DNS. However, it can safely be used as your internal DNS (see Using local/global DNS for Service Addresses in the Reverse Proxy book) since this does not need to be accessible globally.