In a blog post, cloudflare mentioned mitigating a DDoS attack, with 20Gbps twenty-four hours a day for over three weeks, and PTCL was found to be a major contributor for this DNS amplification DDoS attack.
First, to understand an amplification attack, lets assume a scenario in which attacker sends ICMP requests (i.e., ping requests) to the network’s broadcast address (i.e., X.X.X.255) of a router configured to relay ICMP to all devices behind the router. This attack is called SMURF attack.
The attacker spoofs the source of the ICMP request to be the IP address of the intended victim (i.e. the target IP).
Since ICMP does not include a handshake, the destination has no way of verifying if the source IP is legitimate. The router receives the request and passes it on to all the devices that sit behind it. All those devices then respond back to the ping. The attacker is able to amplify the attack by a multiple of how ever many devices are behind the router (i.e., if you have 5 devices behind the router then the attacker is able to amplify the attack 5x, see the diagram below).
To avoid such scenarios, network operators configure their routers to not relay ICMP requests sent to a network’s broadcast address.
DNS amplification attacks are even worst, because DNS requests are transmitted over UDP, just like ICMP, but a small DNS query can generate 50X response from DNS resolvers. In other words, an attacker can achieve a 50x amplification over whatever traffic they can initiate to an open DNS resolver to the target victim IP.
Network operators running a recursive DNS resolver usually ensure that they only respond to queries from authorized IPs on their network or trusted networks only. However, that’s probably not done on PTCL routers.
PTCL routers, as claimed by cloudflare, are not configured as these DNS servers are configured to accept DNS queries on their broadcast IPs from any IP address.
Cloudflare says that it identified 68,459 unique DNS resolvers participating in the 20Gbps DDoS attack, out of which 45,595 DNS resolvers are part of PTCL network.
A network engineer working in local ISP, who wanted to remain unnamed, agreed to cloudflare’s claims and said that DSL routers are usually the real culprits. He said that DSL routers amplify such kinds of attacks, which are misconfigured or re-configured by the customers.
Cloudflare said that they can assist operators (such as PTCL) in identifying the IPs of all open DNS resolvers in getting them correctly configured. Cloudflare has welcomed the operators to work along to clean up their networks.
