Spamhaus attacks expose huge open DNS server dangers
Warnings of security problems posed by poorly configured DNS servers go mostly unheeded for years
Computerworld - Massive distributed denial-of-service attacks on Spamhaus this week focused widespread attention on the huge security threats posed by millions of poorly configured Internet Domain Name System (DNS) servers.
The attacks on Spamhaus that began March 19 were apparently launched by a group opposed to the Geneva, Switzerland-based volunteer organization's antispam work.
Several security firms described the attacks on the organization as the largest -- by far -- ever publicly known DDoS attacks to date.
In DDoS attacks, hackers typically try to take down a network by directing huge volumes of useless traffic to it. The traffic is usually generated using large botnets of compromised computers.
Large DDoS attacks have typically tended to involve between 4 gigabits per second to 10Gbps of traffic.
The Spamhaus attacks involved traffic volumes that reached a staggering 300Gbps -- said to be three times larger than the largest DDoS traffic seen to date and magnitudes greater than the traffic involved in a majority of past denial-of-service attacks.
The perpetrators behind the attack employed the well-known but infrequently used method DNS reflection to generate the huge stream of DDoS traffic directed against Spamhaus.
DNS servers are used primarily to look up and resolve domain names such as www.computerworld.com and www.idg.com to their corresponding IP addresses. If a DNS server does not have the domain information in its database or cache, it queries other nearby DNS servers for the information.
Ideally, DNS servers should be configured only to handle look-up requests coming from within a specific domain or IP address range. So a DNS server belonging to an ISP should handle only requests coming from within its IP address range.
In reality, however, millions of DNS servers are configured by default to be open DNS resolvers that accept and respond to queries from outside their own domain, making them vulnerable to exploitation by attackers because virtually anyone on the Internet can use an open DNS server to handle genuine or malicious queries.
For instance, to generate DDoS traffic, the attackers behind the Spamhaus attack sent queries with a spoofed source address to tens of thousands of open DNS resolvers, said Matthew Prince, CEO of CloudFlare, which has been helping Spamhaus deal with the recent attacks.
The lookup requests were made to appear as if they came from Spamhaus. So the responses to the requests from the tens of thousands of open DNS resolvers were sent to Spamhaus, generating a huge volume of traffic.
To magnify the volume of traffic, the attackers crafted the look-up queries in such a manner as to get each open DNS server to respond with much larger volumes of data than normal, Prince said.
- New docs show DHS was more worried about critical infrastructure flaw in '07 than it let on
- Needed: Breach detection correction
- Evan Schuman: Resurrection of Full Disclosure mailing list is great news, if you're not a cyberthief
- Cyberattacks could paralyze U.S., former defense chief warns
- Syrian Electronic Army shanghais Microsoft's Twitter account, blog
- Is French outrage against U.S. spying misplaced?
- Lawmakers seek answers on Obamacare Data Hub security
- China-based hacking group behind hundreds of attacks on U.S. companies
- How to Prepare for a Potential Syrian Counterattack on the U.S. Power Grid
- New York Times site outage caused by attack on domain registrar, company says
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- The Evolution of Corporate Cyberthreats Cybercriminals are creating and deploying new threats every day that are more destructive than ever before. While you may have more people devoted...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Cybercrime and Hacking White Papers | Webcasts