VeriSign details massive denial-of-service attacks
Hackers used botnets and DNS servers to swamp networks with torrents of data
Computerworld - A sudden increase in a particularly dangerous type of distributed denial-of-service (DDoS) attack could portend big trouble for companies, according to VeriSign Inc.
The Mountain View, Calif.-based company said that about 1,500 organizations worldwide were attacked earlier this year by unknown hackers who employed botnets and Domain Name System (DNS) servers to swamp networks with unmanageable torrents of data.
The attacks, which started on Jan. 3 and ended in mid-February, were notable because they employed an especially devastating kind of DDoS attack, said Ken Silva, VeriSign's chief security officer.
Such an attack typically involves thousands of compromised zombie systems sending torrents of useless data or requests for data to targeted servers or networks -- rendering them inaccessible for legitimate use.
In this case, attackers sent spoofed domain-name requests from botnets to DNS servers, which processed the requests and then sent replies to the spoofed victims, according to Silva.
When the number of requests is in the thousands, the attacker could potentially generate a multigigabit flood of DNS replies directed at the spoofed server, according to a description of such attacks on US-CERT Web site (download PDF).
This is known as an amplifier attack because this method takes advantage of misconfigured DNS servers to reflect the attack onto a target, while amplifying the volume of packets, the CERT description said.
Unlike typical DDoS attacks, the volume of data generated by amplifer attacks is greater by several orders of magnitude, Silva said. Though this type of attack is not especially new, the latest wave demonstrates how good hackers are getting at launching them, he said.
It really demonstrates how much horsepower these people have developed and how efficient they are at developing it, he said.
One of the major reasons such attacks work is because a vast majority of DNS servers on the Internet have recursive configurations, said Mark Loveless, security architect with Vernier Networks Inc. in Mountain View, Calif.
Recursive DNS servers process domain name requests even for addresses that belong to some other domain. A non-recursive DNS server, on the other hand, only provides name information that it has locally. According to CERT, about 80% of the installed DNS servers worldwide have enabled recursion.
I dont want my DNS server to look for an address that belongs to someone else," Loveless said. "I only want it to look for addresses that belong to me. Thats the change that needs to be made." In the attacks earlier this year, DNS servers were used as enablers in the attacks, not as targets. But they can just as easily become targets, Loveless said.
Another big concern is the amplification techniques hackers are using to make their DDoS attacks more disruptive, said Paul Mockapetris, inventor of the Internet's core Domain Name System and chairman of IP address management vendor Nominum Inc. in Redwood City, Calif.
One way to do this is by crafting a domain query in such a manner as to cause the server to generate repeated fetches of a large amount of data, he said. Rather than jamming the input of a particular machine you are jamming output by pulling a lot of data out if it."
Such amplification can create problems not just for the target system but also for the DNS server itself, he said.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cybercrime and Hacking White Papers | Webcasts