Open DNS resolvers increasingly abused to amplify DDoS attacks, report says
The frequency of DNS-based DDoS amplification attacks has increased, researchers say
IDG News Service - Open and misconfigured DNS (Domain Name System) resolvers are increasingly used to amplify distributed denial-of-service (DDoS) attacks, according to a report released Wednesday by HostExploit, an organization that tracks Internet hosts involved in cybercriminal activities.
In the latest edition of its World Hosts Report, which covers the third quarter of 2012, the organization included data about open DNS resolvers and the Autonomous Systems -- large blocks of Internet Protocol (IP) addresses controlled by network operators -- where they are located.
That's because, according to HostExploit, incorrectly configured open DNS resolvers -- servers that can be used by anyone to resolve domain names to IP addresses -- are increasingly abused to launch powerful DDoS attacks.
DNS amplification attacks date back more than 10 years and are based on the fact that small DNS queries can result in significantly larger DNS responses.
An attacker can send rogue DNS requests to a large number of open DNS resolvers and use spoofing to make it appear as if those requests originated from the target's IP address. As a result, the resolvers will send their large responses back to the victim's IP address instead of the sender's address.
In addition to having an amplification effect, this technique makes it very hard for the victim to determine the original source of the attack and also makes it impossible for name servers higher up on the DNS chain that are queried by the abused open DNS resolvers to see the IP address of the victim.
"The fact that so many of these unmanaged open recursors exist allow the attackers to obfuscate the destination IPs of the actual DDoS targets from the operators of the authoritative servers whose large records they're abusing," said Roland Dobbins, solutions architect in the Security & Engineering Response Team at DDoS protection vendor Arbor Networks, Thursday via email.
"It's also important to note that the deployment of DNSSEC has made DNS reflection/amplification attacks quite a bit easier, as the smallest response the attacker will stimulate for any query he chooses is at least 1300 bytes," Dobbins said.
Even though this attack method has been known for years, "DDoS amplification is used far more frequently now and to devastating effect," Bryn Thompson of HostExploit wrote Wednesday in a blog post.
"We have seen this recently and we see it increasing," Neal Quinn, the chief operating officer of DDoS mitigation vendor Prolexic, said Thursday via email.
"This technique allows relatively small botnets to create large floods toward their target," Quinn said. "The problem is serious because it creates large volumes of traffic, which can be difficult to manage for many networks without use of a cloud mitigation provider."
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts