To establish a connection between your machine, and google, first thing you need to know is what is the IP address of google.com.
For this, first your machine will send udp packet to dns server (can be local dns server or cloudflare or google public dns 8.8.8.8) asking what is the IP address of google.com. As it is UDP so it be unencrypted packet.
The server will reply with another udp packet saying google ip address is eg: 1.2.3.4
Then the client will establish connection with google.com using this IP address
DNS reflection:
Say attacker A is a bad actor. A will send a dns request to DNS server but instead of providing its own IP address in udp request, it will send the IP address of server which it wants to attack.
Packet will be like : 80/B/google.com/D/53, where B is the IP address of actual webserver and D is the IP address of DNS server. This process is also called as ip spoofing.
DNS server will send reply to server B. Packet will look like
53/D/1.2.3.4/B/80
Web server B has no clue what's going on. It doesn't know what is 1.2.3.4, so it will drop the packet.
This is called dns reflection, reflecting request to another server
One UDP inbound request is fine for B, but if there are multiple DNS request and multiple DNS replies to B using different attacker machines and DNS servers, this will create a DDos attack.
Though dns reply packet is very small, but to make things worse, an attacker can ask for more information in dns request like multiple options. In this case dns server will reply with larger packet up to 4000 bytes. Doing this thousand of times..will occupy all resource on server
This is called DNS reflection with Amplification attack
To protect web server B we can place a firewall in between the DNS server and webserver B, but that might not be feasible option always.In this case your application might not work properly as some of your applications might be blocked
Sometime L7 Reverse proxy is used in between the DNS server and webserver, the connection will terminate at proxy, it will decrypt the traffic and establish another connection with the webserver.
For this, first your machine will send udp packet to dns server (can be local dns server or cloudflare or google public dns 8.8.8.8) asking what is the IP address of google.com. As it is UDP so it be unencrypted packet.
The server will reply with another udp packet saying google ip address is eg: 1.2.3.4
Then the client will establish connection with google.com using this IP address
DNS reflection:
Say attacker A is a bad actor. A will send a dns request to DNS server but instead of providing its own IP address in udp request, it will send the IP address of server which it wants to attack.
Packet will be like : 80/B/google.com/D/53, where B is the IP address of actual webserver and D is the IP address of DNS server. This process is also called as ip spoofing.
DNS server will send reply to server B. Packet will look like
53/D/1.2.3.4/B/80
Web server B has no clue what's going on. It doesn't know what is 1.2.3.4, so it will drop the packet.
This is called dns reflection, reflecting request to another server
One UDP inbound request is fine for B, but if there are multiple DNS request and multiple DNS replies to B using different attacker machines and DNS servers, this will create a DDos attack.
Though dns reply packet is very small, but to make things worse, an attacker can ask for more information in dns request like multiple options. In this case dns server will reply with larger packet up to 4000 bytes. Doing this thousand of times..will occupy all resource on server
This is called DNS reflection with Amplification attack
To protect web server B we can place a firewall in between the DNS server and webserver B, but that might not be feasible option always.In this case your application might not work properly as some of your applications might be blocked
Sometime L7 Reverse proxy is used in between the DNS server and webserver, the connection will terminate at proxy, it will decrypt the traffic and establish another connection with the webserver.
No comments:
Post a Comment