DNS SEC Request flood is a DDoS attack which sends DNS SEC request packets to a DNS server in an attempt to overwhelm the server’s ability to respond to legitimate DNS requests.
If DNS services are unavailable to legitimate users it can completely cripple most modern networks since domain names are used to provide most services.
DNS SEC sets the DNS SEC bit to 1, which may cause some servers to process security rules differently.
Technical Analysis
As seen in Image 1, a DNS SEC request uses the UDP protocol with a destination port of 53.
“Image 1: DNS using UDP”
Image 2 highlights the UDP packet containing the query information, which consists of a name, a type and a class. The name is the FQDN name to retrieve the IP for. The type specifies the record to be fetched. Common ones are A which will retrieve the IP, MX which will retrieve the the mail exchange servers etc. The class specifies the type of data queried. It will be IN (stands for Internet) most of the time. The only other used class is the CH (Chaos) class, that is used to query DNS versions
“Image 2: The name, type and class of a DNS request”
Images 3 and 4 show the server’s response with the result of the query. There you can see that identifying the request-response pair can be done using the Transcation ID. Depending on the request type the server may respond differently.
“Image 3: DNS Request Transaction ID”
“Image 4: DNS Response”
As can be seen in Image 5, a DNS SEC request flood will additionally set the DNS SEC bit to 1.
“Image 5: DNS SEC Bit”
Analysis of the DNS SEC Request Flood in Wireshark – Filters
As mentioned in the Technical Analysis, DNS SEC uses the UDP protocol, so the very basic filter that can be used is “udp”.
Further more, to identify DNS packets specifically, the “dns” filter can be used.
Showing only DNS requests can be done using “dns.flags == 0x0100” and for showing only DNS responses use “dns.flags == 0x8180”.
To identify a DNS SEC packet use “dns.resp.z.do == 1”.
To identify the response for a request or vice versa, use “dns.id == <needed_id>”.
If you see a single source sending many such requests, it could be an attacker.
Download Example PCAP of DNS SEC Request Flood
*Note: IP’s have been randomized to ensure privacy.
