Loop Denial-of-Service (DoS) Special Report
Description
The Shadowserver Foundation released the Loop DoS Special Report on the 20th Dec 2023, in respect of the jurisdiction. The report detailed a novel type of Denial-of-Service (DoS) Attack, referred to as the Loop DoS Attack, which becomes possible if two network services indefinitely respond to each other’s messages.
The Shadowserver Foundation, to illustrate the Loop DoS Attack Vector, use the example of two DNS resolvers, that respond with an error message when receiving an error message as input. If an error as input creates an error as output, and a second system behaves the same, these two systems will keep sending error messages back and forth, indefinitely. They go on to state, that an attacker can cause a loop among two faulty DNS resolvers by injecting a single, IP-spoofed DNS resolver failure message. Once injected, the DNS resolvers continuously send DNS error messages back and forth, putting stress on both servers and any network link connecting them.
The Shadowserver Foundation state in their documentation that the information contained in the special report does not cover a specific daily twenty four (24) hour time period, instead it is based upon 'high value datasets', which suggest that patterns in network traffic, have been observed, during the course of the daily scan of the IPv4 & IPv6 address range.
The Report has a default severity level of 'High'.
Problem
The report identified hosts, within the jurisdiction, together with their respective network services, that have been found to be the cause of endless loop patterns, which may indicate a Loop DoS Attack.
Shadowserver Foundation - Loop DoS Special Report - Malware Name Index.
Note:
| No. | Malware Name | Description | UDP |
|---|---|---|---|
| 1. | dns;loop-dos | The Domain Name System service (DNS) is a globally distributed service that resolve a fully qualified domain name (FQDN) to a numeric IP address which computers use to connect to each other. Every interactions such as visiting or accessing a web page, sending an email, the retrieval of a picture from social media, use DNS to translate human-friendly domain names to an IP address. DNS queries contain sensitive information about the websites users intend to visit, and without adequate security, these queries can be intercepted by malicious actors. Implementing DNS security ensures the confidentiality of DNS data, and protects user privacy. RFC1034 & RFC1035, which were published in 1987, contain the official specifications on which the modem DNS is based. However, security was not a primary consideration in its design and several solutions have been developed since to make DNS secure. | Port 53. |
| 2. | dns;middlebox; | A middlebox is a computer device that transforms, inspect, filters, and manipulates traffic for the purposes other than packet forwarding. Examples of middleboxes include firewalls, network address translators (NATs), load balancers, and deep packet inspection (DPI) devices. The inclusion of the term middlebox in the 'Tag' suggest that the DNS Resolver, identified in the report, is sending messages to, and responding to message from a device other than a DNS Resolver. | Port 53. |
| 3. | ntp;loop-dos | The Network Time Protocol (NTP) is a network protocol for clock synchronisation between computer systems over packet-switched, variable-latency data networks. The NTP protocol works by having a client send a query packet to an NTP server that then responds with its clock time. The client then computes an estimate of the difference between its clock and the remote clock and attempts to compensate for any network delay. The NTP protocol implements a hierarchical system of time references. At the highest level, hardware reference clocks are referred to as Stratum 0. These include Global Navigation Satellite Systems (GNSS) and national time and frequency radio broadcasts. These clocks are very precisely synchronised to national time and frequency atomic time standards. They are some of the most accurate time sources available. A Stratum 1 NTP server, is the primary network time server, (Authoritative NTP server), and it must have a direct connection to a hardware (Stratum 0) clock, therefore the firewall policy must allow the NTP service, for the Stratum 1 NTP server to reference the external hardware (Stratum 0) clock. | Port 123. |
| 4. | tffp;loop-dos | The Trival File Transfer Protocol is a simple protocol that provides basic file transfer function with no user authentication or directory listing capabilities. Due to its simple design, TFTP can be easily implemented by code with a small memory footprint. It is the protocol of choice for the initial stages of any network booting strategy like BOOTP, PXE, BSDP. It is also used to transfer firmware images and configuration files to network appliances, such as routers, firewalls, and IP phones. Today, TFTP is virtually unused for Internet transfers. | Port 69. |
Recommendations
In the event of the confirmation of a Loop DoS Attack, constituents are advised to implement the following recommendations. Note: The security measures in relation to DNS continues to evolved due to its vulnerabilities to both Authoritative Attacks e.g. DDoS Attacks, and Caching Recursive attacks, e.g. Cache Poisoning Attacks, DNS Hijacking and DNS Tunneling attacks.
| No. | Action | Description |
|---|---|---|
| 1. | Monitor Host Identified. | Monitor network traffic to and from the host and network service identified in the report, to establish, whether or not, they are receiving messages and are responding to them, resulting in an endless loop. In the event of the confirmation of a Loop DoS Attack, appropriate action should be taken to mitigate the attack. After which, it is recommended, monitoring of both the host and its network services be maintained, to prevent any future recurrence. |
| 2. | Ingress Filtering. | Ingress Filtering is implemented as a predefined security rule on the perimeter firewall to ensure that incoming packets are actually from the networks from which they claim to originate from, this is a countermeasure against spoofing attacks. |
| 3. | Egress Filtering. | Egress Filtering is implemented as a predefined security rule on the perimeter firewall to monitor and restrict the flow of outbound packets from one network to another to ensure that unauthorised or malicious traffic never leaves an internal network. |
| 4. | Local DNS Stub Resolver. | A Local DNS Stub Resolver is a software component or service running on a computer, which converts a Fully Qualified Domain Name (FQDN) resolution requests, from an application such as a web browser into a DNS request message. The Local DNS Stub Resolver sends the DNS request message via the DNS firewall, to a DNS Recursive Resolver, the IP address of which is included in its configuration. The DNS Recursive Resolver returns the result to the application or web browser. Local DNS Stub Resolvers do not perform recursion themselves. Instead, they talk to a DNS Recursive Resolver, which performs recursion on their behalf. |
| 5. | DNS Firewall. | A DNS Firewall is an optimal policy enforcement point for DNS-specific protection from malware and advanced persistent threats (APTs). This is a DNS service that utilises Response Policy Zones (RPZs) with a threat intelligence (malware feed) service to protect against malware and APTs by disrupting the ability of infected devices to communicate with command-and-control (C&C) sites and botnets, preventing data exfiltration. |
| 6. | DNS Content Filtering. | DNS Content Filtering intercepts DNS queries and determines whether to allow or block the requested domain based upon a predefined criteria. DNS Content filtering is often used to block access to a malicious domain or website. DNS blocklists such as DNS-based blocklists (DNSBL) and Real-time blocklists (RBL), are lists of known malicious domains and IP addresses that should be avoided. |
| 7. | Access Control Lists. | An Access control list (ACL), contain rules predefined by the Network Administrator that grant or deny access to a system environment. Strict ACLs, should be implemented to control which devices and networks are allowed to access and use the network DNS servers, including both the primary DNS servers and the secondary DNS servers. Access to internal DNS servers should be restricted to authorised users and systems. Networking ACLs manage network access by providing instructions to network switches and routers that specify the types of traffic that are allowed to interface with the network. These ACLs also specify user permissions once inside the network. A group of NTP servers at the same Stratum level are considered as NTP Peers to each other. ACLs can be implemented on NTP Peers, that allow them to access NTP services on the local device however these ACLs can only provide minimal security for a system running NTP. |
| 8. | NTP Authentication. | The purpose of NTP authentication is to verify a time source. NTP Authentication does not encrypt the NTP packets, it merely appends a cryptographic signature to each network packet, enabling the NTP client to be sure that the NTP packet originated from the NTP server it is expecting from, and is not a spoofed packet modified by a man-in-the-middle attack. NTPv4 introduced an autokey feature which used private/ public key pairs for authentication, however the autokey signature were found not to provide an adequate level of protection. In September 2020, the Internet Engineering Task Force (IETF) published RFC8915 approving the implementation of Network Time Security (NTS) for NTP. NTS provides cryptographic security for the client-server mode of NTP. This allows users to obtain time in an authenticated manner. |
| 9. | Block Outdated & Unused Ports. | On the perimeter firewall, it is recommended that communication from outdated or unused ports, protocols, and applications be blocked. |
Additional Information
Loop DoS Special Report.RFC8633 - Network Time Protocol Best Current Practices.
RFC8915 - Network Time Security for the Network Time Protocol.
RFC1034 - Domain Names - Concepts and Facilities.
RFC1035 - Domain Names - Implentation and Specification.
ICANN - DNSSEC - What Is It and Why Is It Important.
NsLookup - What is a DNS stub resolver.
Infoblox - DNS Firewall is not a next Generation Firewall.
Infoblox - Infoblox DNS Security Resource Center.
SAFEDNS - DNS Security Best Practices.
SAFEDNS - DNS Firewall & DNS Filtering.
SAFEDNS - DNS Tunneling: An Overview of Cybersecurity Risks.
SAFEDNS - DNS Poisoning: Understanding the Threat and Securing Your Online Experience.
Trivial File Transfer Protocol Used in New DDoS Attack.
RFC1350 - The TFTP Protocol (Revision 2).
TimeTools - What is a Stratum 1 Time Server.