Programming Assignment 5: DNS and Amplification Attacks

Overview

This assignment explores the Domain Name System (DNS) and demonstrates DNS amplification attacks in a controlled environment. You'll learn how DNS works, implement DNS queries, and understand distributed denial-of-service (DDoS) attack vectors.

Learning Objectives

• Understand DNS protocol structure and operation
• Implement DNS query and response parsing
• Learn about DNS security vulnerabilities
• Understand amplification attack principles
• Study DDoS mitigation techniques

Prerequisites

• Understanding of DNS hierarchy and resolution
• Network programming experience
• Knowledge of UDP protocol

⚠️ Legal and Ethical Warning

CRITICAL:
- DNS amplification attacks are ILLEGAL when conducted without authorization
- This assignment must be completed in an isolated lab environment ONLY
- Never target external DNS servers or networks
- Violation will result in immediate course failure and legal prosecution
- Use ONLY the provided lab infrastructure

Part 1: DNS Query Implementation (30 points)

Tasks

1. Implement a basic DNS resolver that:
   - Constructs DNS query packets manually
   - Sends queries via UDP to DNS servers
   - Parses DNS response packets
   - Extracts A, AAAA, MX, NS records

2. Support query types:
   - A (IPv4 address)
   - AAAA (IPv6 address)
   - MX (Mail exchange)
   - NS (Name server)
   - TXT (Text records)

3. Implement recursive resolution:
   - Start from root servers
   - Follow referrals
   - Cache responses
   - Measure query resolution time

Requirements

• Parse DNS packet format according to RFC 1035
• Handle compression pointers in DNS names
• Implement timeout and retry logic
• Support multiple questions in one query

Deliverable

• Working DNS resolver
• Comparison with dig and nslookup
• Performance measurements

Part 2: DNS Amplification Demonstration (35 points)

Tasks

1. Setup Isolated Lab Environment:
   - Create isolated virtual network (NO INTERNET ACCESS)
   - Deploy DNS server (BIND9)
   - Configure attacker, amplifier, and victim VMs
   - Ensure complete isolation from external networks

2. Implement Amplification Attack (for education ONLY):
   - Create program that sends DNS queries with spoofed source IP
   - Request large DNS records (e.g., ANY queries)
   - Demonstrate amplification factor
   - Measure traffic volume multiplication

3. Measurements:
   - Calculate amplification factor (response size / query size)
   - Measure bandwidth consumption at victim
   - Test with different query types
   - Analyze packet captures

Safety Requirements

• MANDATORY: Completely air-gapped lab network
• Use private IP addresses only (10.0.0.0/8, 192.168.0.0/16)
• Disable all external network connections
• VM snapshots before testing
• Instructor verification of lab isolation

Deliverable

• Lab topology diagram
• Attack implementation (commented extensively)
• Packet captures showing amplification
• Analysis of amplification factors

Part 3: DNS Security Analysis (25 points)

Tasks

1. Vulnerability Analysis:
   - Identify why DNS amplification works
   - Explain role of UDP and source IP spoofing
   - Analyze open resolver problem
   - Study real-world DDoS incidents

2. Mitigation Research:
   - Response Rate Limiting (RRL)
   - BCP 38 (ingress filtering)
   - DNS cookies (RFC 7873)
   - DNSSEC implications

3. Implementation:
   - Configure DNS server with RRL
   - Demonstrate effectiveness
   - Measure impact on legitimate traffic

Discussion Topics

• Why do open resolvers exist?
• Economic incentives in DDoS attacks
• Responsibility of DNS operators
• Evolution of amplification attacks

Part 4: Detection and Defense (10 points)

Tasks

1. Implement attack detection:
   - Monitor DNS query patterns
   - Identify spoofed source IPs
   - Detect abnormal query rates
   - Generate alerts

2. Test defensive measures:
   - Rate limiting
   - Query filtering
   - Source IP validation
   - Cache poisoning prevention

Deliverable

• Detection algorithm
• Effectiveness analysis
• False positive/negative rates
• Recommendations for DNS operators

Bonus (10 points)

Option 1: DNSSEC Implementation

• Implement DNSSEC validation
• Demonstrate signature verification
• Analyze performance overhead
• Discuss adoption challenges

Option 2: Other Amplification Vectors

Research and demonstrate (in isolated lab):
- NTP amplification
- SNMP amplification
- SSDP amplification
- Compare amplification factors

Submission Requirements

Submit a ZIP file containing:

1. All source code (heavily commented)
2. Lab setup documentation:
   - Network topology
   - VM configurations
   - Isolation verification
3. Packet captures (pcap files)
4. Comprehensive report (6-8 pages):
   - DNS protocol explanation
   - Attack methodology
   - Measurements and analysis
   - Security discussion
   - Mitigation recommendations
   - Ethics reflection

Lab Setup Instructions

Required VMs (Isolated Network)

1. Attacker VM:
   - Linux with Python/Scapy
   - No internet access
   - IP: 192.168.100.10

2. DNS Amplifier VM:
   - BIND9 DNS server
   - Open resolver configuration
   - IP: 192.168.100.20

3. Victim VM:
   - Traffic monitoring tools
   - IP: 192.168.100.30

Network Configuration

# Ensure isolation - NO default gateway
# Use host-only or internal network in VirtualBox/VMware
# Verify isolation with: ping 8.8.8.8 (should FAIL)

Discussion Questions

1. What makes DNS particularly vulnerable to amplification attacks?
2. How does source IP spoofing work, and why is it still possible?
3. What is BCP 38, and why isn't it universally deployed?
4. How do DDoS-for-hire services utilize amplification attacks?
5. What are the trade-offs between open resolvers and security?
6. How does DNSSEC affect amplification attack potential?
7. What responsibilities do DNS operators have?

Grading Rubric

Due Date

Three weeks from assignment date

Resources

• Course textbook Chapter 7 (Application Layer - DNS)
• RFC 1035 (DNS Specification)
• RFC 7873 (DNS Cookies)
• RFC 8482 (ANY query limitations)
• BCP 38: Network Ingress Filtering
• US-CERT Alert on DNS Amplification Attacks
• "Understanding the Mirai Botnet" paper

DNS Packet Format Reference

DNS Header Format:
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                      ID                       |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    QDCOUNT                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    ANCOUNT                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    NSCOUNT                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    ARCOUNT                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Tips

• Use Scapy for packet crafting: DNS(rd=1, qd=DNSQR(qname="example.com"))
• Wireshark display filter: dns
• Test DNS queries with: dig @server domain type
• Use tcpdump -n port 53 to monitor DNS traffic
• Start with small-scale tests
• Document EVERYTHING in your lab notebook
• Take VM snapshots before experiments
• Verify network isolation multiple times

Instructor Verification Required

Before beginning Part 2, you must:
1. Submit lab topology diagram
2. Demonstrate network isolation to TA/instructor
3. Receive written approval to proceed
4. Sign ethics agreement

Ethics Pledge

"I understand that DNS amplification attacks are illegal and harmful. I will only conduct this assignment in an isolated lab environment. I will never perform these attacks against unauthorized systems. I understand the serious legal and ethical implications and commit to responsible use of this knowledge."

Signature: __ Date: ______

Academic Integrity

This is an individual assignment. The attack implementation must be your own work. Sharing attack code or conducting unauthorized scanning will result in severe academic and potentially legal consequences.