Forward to Hell? Misusing Transparent DNS Forwarders for Amplification Attacks
2 days ago
- #Network Threats
- #DNS Security
- #Reflective Amplification Attacks
- DNS infrastructure is vulnerable to reflective amplification attacks, with transparent DNS forwarders being a key threat vector.
- Transparent forwarders bypass firewalls and rate limiting, allowing attackers to access shielded recursive resolvers and scale attacks effectively.
- Our research shows that transparent forwarders are globally distributed, with a concentration in Brazil (31%) and India (24%).
- Most transparent forwarders (76%) use Google or Cloudflare public resolvers, such as 8.8.8.8 (64.25%) and 1.1.1.1 (9.09%).
- Fingerprinting identified MikroTik routers as the majority (76%) of transparent forwarders, but devices range from CPE to core routers across many vendors.
- Transparent forwarders do not handle amplified replies, increasing attack scalability compared to recursive forwarders, with lab tests showing up to 320Mbit/s attack traffic.
- Mitigation includes checking firewall rules, implementing network ingress filtering, configuring rate limiting, and using our published API to check for affected networks.