Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Open DNS resolvers used to amplify DDoS attacks, hide original source

The frequency of DNS-based DDoS amplification attacks has increased, researchers say

Article comments

Open and misconfigured DNS (Domain Name System) resolvers are increasingly used to amplify distributed denial-of-service (DDoS) attacks, according to a report released Wednesday by HostExploit, an organisation that tracks Internet hosts involved in cybercriminal activities.

In the latest edition of its World Hosts Report, which covers the third quarter of 2012, the organisation included data about open DNS resolvers and the Autonomous Systems - large blocks of Internet Protocol (IP) addresses controlled by network operators - where they are located.

That's because, according to HostExploit, incorrectly configured open DNS resolvers - servers that can be used by anyone to resolve domain names to IP addresses - are increasingly abused to launch powerful DDoS attacks.

DNS amplification attacks date back more than 10 years and are based on the fact that small DNS queries can result in significantly larger DNS responses.

An attacker can send rogue DNS requests to a large number of open DNS resolvers and use spoofing to make it appear as if those requests originated from the target's IP address. As a result, the resolvers will send their large responses back to the victim's IP address instead of the sender's address.

In addition to having an amplification effect, this technique makes it very hard for the victim to determine the original source of the attack and also makes it impossible for name servers higher up on the DNS chain that are queried by the abused open DNS resolvers to see the IP address of the victim.

"The fact that so many of these unmanaged open recursors exist allow the attackers to obfuscate the destination IPs of the actual DDoS targets from the operators of the authoritative servers whose large records they're abusing," said Roland Dobbins, solutions architect in the Security & Engineering Response Team at DDoS protection vendor Arbor Networks, Thursday via email.

"It's also important to note that the deployment of DNSSEC has made DNS reflection/amplification attacks quite a bit easier, as the smallest response the attacker will stimulate for any query he chooses is at least 1300 bytes," Dobbins said.

Even though this attack method has been known for years, "DDoS amplification is used far more frequently now and to devastating effect," Bryn Thompson of HostExploit wrote Wednesday in a blog post.

"We have seen this recently and we see it increasing," Neal Quinn, the chief operating officer of DDoS mitigation vendor Prolexic, said Thursday via email.

"This technique allows relatively small botnets to create large floods toward their target," Quinn said. "The problem is serious because it creates large volumes of traffic, which can be difficult to manage for many networks without use of a cloud mitigation provider."

Dobbins couldn't immediately share any data about the recent frequency of DNS-based DDoS amplification attacks, but noted that SNMP (Simple Network Management Protocol) and NTP (Network Time Protocol) reflection/amplification attacks "can also generate very large, overwhelming attack sizes."

In its report, HostExploit ranked the Autonomous Systems with the largest number of open DNS resolvers in their IP address spaces. The top one, controlled by Terra Networks Chile, contains more than 3,200 open resolvers in a pool of around 1.3 million IPs. The second one, controlled by Telecomunicacoes de Santa Catarina (TELESC) - now part of Oi, Brazil's largest telecom operator - contains nearly 3,000 resolvers in a space of 6.3 million IP addresses.

"It should be stressed open recursive nameservers are not a problem in themselves; it is the mis-configuration of a nameserver where the potential problem lays," HostExploit said in its report.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *