Open DNS resolvers used to amplify DDoS attacks, hide original source
The frequency of DNS-based DDoS amplification attacks has increased, researchers say
By Lucian Constantin | Published: 10:28, 26 October 2012
Open and misconfigured DNS (Domain Name System) resolvers are increasingly used to amplify distributed denial-of-service (DDoS) attacks, according to a report released Wednesday by HostExploit, an organisation that tracks Internet hosts involved in cybercriminal activities.
In the latest edition of its World Hosts Report, which covers the third quarter of 2012, the organisation included data about open DNS resolvers and the Autonomous Systems - large blocks of Internet Protocol (IP) addresses controlled by network operators - where they are located.
That's because, according to HostExploit, incorrectly configured open DNS resolvers - servers that can be used by anyone to resolve domain names to IP addresses - are increasingly abused to launch powerful DDoS attacks.
Related Articles on Techworld
DNS amplification attacks date back more than 10 years and are based on the fact that small DNS queries can result in significantly larger DNS responses.
An attacker can send rogue DNS requests to a large number of open DNS resolvers and use spoofing to make it appear as if those requests originated from the target's IP address. As a result, the resolvers will send their large responses back to the victim's IP address instead of the sender's address.
In addition to having an amplification effect, this technique makes it very hard for the victim to determine the original source of the attack and also makes it impossible for name servers higher up on the DNS chain that are queried by the abused open DNS resolvers to see the IP address of the victim.
"The fact that so many of these unmanaged open recursors exist allow the attackers to obfuscate the destination IPs of the actual DDoS targets from the operators of the authoritative servers whose large records they're abusing," said Roland Dobbins, solutions architect in the Security & Engineering Response Team at DDoS protection vendor Arbor Networks, Thursday via email.
"It's also important to note that the deployment of DNSSEC has made DNS reflection/amplification attacks quite a bit easier, as the smallest response the attacker will stimulate for any query he chooses is at least 1300 bytes," Dobbins said.
Even though this attack method has been known for years, "DDoS amplification is used far more frequently now and to devastating effect," Bryn Thompson of HostExploit wrote Wednesday in a blog post.
"We have seen this recently and we see it increasing," Neal Quinn, the chief operating officer of DDoS mitigation vendor Prolexic, said Thursday via email.
"This technique allows relatively small botnets to create large floods toward their target," Quinn said. "The problem is serious because it creates large volumes of traffic, which can be difficult to manage for many networks without use of a cloud mitigation provider."
Dobbins couldn't immediately share any data about the recent frequency of DNS-based DDoS amplification attacks, but noted that SNMP (Simple Network Management Protocol) and NTP (Network Time Protocol) reflection/amplification attacks "can also generate very large, overwhelming attack sizes."
In its report, HostExploit ranked the Autonomous Systems with the largest number of open DNS resolvers in their IP address spaces. The top one, controlled by Terra Networks Chile, contains more than 3,200 open resolvers in a pool of around 1.3 million IPs. The second one, controlled by Telecomunicacoes de Santa Catarina (TELESC) - now part of Oi, Brazil's largest telecom operator - contains nearly 3,000 resolvers in a space of 6.3 million IP addresses.
"It should be stressed open recursive nameservers are not a problem in themselves; it is the mis-configuration of a nameserver where the potential problem lays," HostExploit said in its report.