In the past few weeks, we’ve been hearing more about a type of DDoS attack called a DNS amplification attack. In sending out a general alert about this type of attack, the U.S. Computer Emergency Readiness Team (US-CERT) defined the problem as follows:
|The basic attack technique consists of an attacker sending a DNS name lookup request to an open recursive DNS server with the source address spoofed to be the victim’s address. When the DNS server sends the DNS record response, it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. By leveraging a botnet to perform additional spoofed DNS queries, an attacker can produce an overwhelming amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.|
This type of attack garnered quite a bit of attention at the end of March when Spamhaus.org was apparently hit with a fairly strong DNS amplification attack. The service provider CloudFlare says it was instrumental in mitigating the attack and wrote about it in detail on their blog.
As a global content delivery network and web accelerator, CloudFlare hosts websites for a lot of customers, some of which are bound to be targets of DDoS attacks at one time or another. In a blog post last October, Matthew Prince of CloudFlare wrote about DNS amplification attacks, saying “These attacks are some of the largest, as measured by the number of Gigabits per second (Gbps), that we see directed toward our network.”
If this kind of attack against individual websites is common and serious, then there must be something that the average enterprise organization can do to avoid falling victim to a DNS amplification attack. At least, one would think so.
I asked Chip Marshall, a network and security analyst at managed DNS company Dyn, what an enterprise user of the Internet can do. His response: “Not a whole lot, unfortunately. It is mostly in the hands of carriers to be implementing things like BCP 38 to prevent packets from being spoofed in the first place. Probably the best thing that end users could be doing is, when they sign up with an ISP, asking the ISP if they implement this [BCP 38], and just raise awareness and get more network providers on board for best practices.”
OK, so the average company with a website is really dependent on its Internet connectivity provider to adhere to a global standard for ingress filtering. More than a decade ago, the Network Working Group of the Internet Engineering Task Force published BCP 38, which was specifically formulated to help prevent denial of service attacks that employ IP address spoofing. Unfortunately, the uptake of this standard has not been good. According to the Open DNS Resolver Project and US-CERT, of the 27 million known DNS resolvers on the Internet, approximately 25 million pose a significant threat of being used in an amplification attack.
What are these Internet connectivity companies waiting for—more attacks that will affect their customers? Shame on them if they haven’t taken the basic steps outlined by BCP 38! There’s no excuse for leaving this vulnerability out in the open and putting their customers at risk.