US-Cert Issues DNS Amplification DDoS Alert

By | April 01, 2013

Posted in: Network Security Trends , Enterprise DDoS Protection

Distributed Denial of Service (DDoS) attacks have become a routine part of the security threat landscape, striking banks, online retails sites and other interconnected targets. In addition to the well-publicized ongoing hacktivist DDoS campaign against global financial institutions (which hit, among others, American Express last week), attacks have been growing in size and frequency.

A spam war last week gave rise to one of the largest DDoS attacks on record, allegedly utilizing a method of DDoS attack knows as DNS (domain name system) amplification.

The size and scope of this attack drew the attention of the the US Computer Emergency Readiness Team (US-Cert), who issued an alert Friday regarding these sorts of attacks, the dangers they pose and potential solutions.

These DNS amplification attacks have been around for a while, leveraging the basic domain name protocol designed to translate domain names into numerical IP addresses. They capitalize on the fact that the answer to a routine DNS query often returns far more data than the query itself. These attacks utilize what are called open recursive servers, which -- as the name "open" suggests -- are configured to respond to any query they receive from any IP address. A must have ingredient for an amplification attack.

US-Cert explains in greater detail.

"The basic attack technique consists of an attacker sending a DNS name lookup request to an open recursive DNS server with the source address spoofed to be the victim’s address. When the DNS server sends the DNS record response, it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. By leveraging a botnet to perform additional spoofed DNS queries, an attacker can produce an overwhelming amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks," said the alert.

US-Cert suggests a detection approach, since once these huge volumetric attacks begin, it is difficult to prevent or completely stop them.

They recommend several free web-based scanning tools that can identify Internet accessible open DNS servers. Two such tools are the Open DNS Resolver Project and the Measurement Factory. Both maintain a list of Internet accessible DNS servers and allow administrators to search for any open recursive resolvers that may be receptive to attack. This allows network administrators to take a proactive approach.

US-Cert adds that the only effective way to eliminate these potential attacks is to eliminate open recursive resolvers, which "requires a large-scale effort by numerous parties."

"According to the Open DNS Resolver Project, of the 27 million known DNS resolvers on the Internet, approximately '25 million pose a significant threat' of being used in an attack," according to US-Cert. A sure sign that the potential for another DDoS attack of similar size that rocked the web last week remains.

While the size of this recent attack may have raised eyebrows, big doesn't always mean more dangerous. Kevin Kennedy Senior Director, Product Management at Juniper Networks said in a recent blog post that enterprises should be wary of every attack, especially the smaller, more sophisticated ones.

"[A] 25 thousand bit per second DDoS attack was recently able to take down one of the largest e-tailers in Europe within 2 minutes," wrote Kennedy. "Forget armies of bots, a single PC was enough. And precisely because it was so small, it was lost in the noise of legitimate user traffic, taking a full day to identify and remediate and putting $10M of sales at risk. Stealth, it seems, can be incredibly effective."


You May Also Be Interested In: