24 million reasons to lock down DNS amplification attacks

5.3 million home and office routers worldwide were being used for DNS amplification attacks in February, according to a new study.

Steady rise in complex web attacks in 2013
Steady rise in complex web attacks in 2013

Research from Nominum, a US security consultancy that supplies ISPs with DNS-based analytics and revenue advice, claims to show that 24 million home and small office broadband routers around the world are vulnerable to being tapped as part of a massive DDoS attack.

Distributed-denial-of-service (DDoS) swarm attacks have been around for years, but hijacking routers is a relatively recent trend, driven largely by the fact that very few users actively update the firmware of their legacy routers.

Rather than hack the host computer, Nominum says that the hackers can now manipulate DNS (Domain Name System) traffic lookups - the technology that translates alphabetic domain names (e.g. www.bbc.co.uk) into its numeric identifier (e.g. 987.65.43.21). 

By spoofing the target's IP address and generating a small IP request (ICMP) to a vulnerable router, the router will then generate a larger IP data packet to the real IP address. Nominum claims that this `amplification' effect can be tapped to turn a few megabits of data bandwidth into many tens of gigabits of bandwidth hogging IP streams. 

This is no theoretical analysis, as the consultancy claims to have spotted over 5.3 million home and office routers being hijacked during February to generate IP attack traffic - with as much as 70 per cent of total DNS traffic being attributed to one attack seen during January. 

Nominum says the effect on ISP traffic is immense, with trillions of bytes of attack data disrupting ISP networks, websites and individuals. In the longer term, the consultancy says there is a network impact generated by malicious traffic saturating the available bandwidth and a consequent loss of revenue as users migrate to other ISPs due to an apparently poor experience. 

Sanjay Kapoor, the SVP of strategy with Nominum, said that existing DDoS defences do not work against today's amplification attacks, which can be launched by any criminal who wants to achieve maximum damage with minimum effort. 

“Even if ISPs employ best practices to protect their networks, they can still become victims, thanks to the inherent vulnerability in open DNS proxies," he said. 

Peter Wood, CEO of pen-testing specialist First Base Technologies, says that the problem identified by Nominum is often found by his research team where remote branch offices and staff working from home are involved. 

"We've recently been testing a Draytek Vigor router in this regard, and the good news is that most of the attack ports that could be used are turned off by default. Conversely, we also tested a Buffalo router, where the exact reverse was true," he explained. 

"This is the joy of OpenDNS proxies. It's also not that obvious how to configure a fixed IP on many routers," he said, adding that some clients are - thankfully - becoming more aware of the security risks from the amplification attacks identified by Nominum's research. 

Sven Schlueter, a senior consultant with Context Information Security, said that DNS application attacks mean that only minimal resources are required to conduct an attack against the availability of a larger system or network. 

"This type of attack is then often performed from different sources, all spoofing the source ‘to origin from the target', resulting in a DDoS against the available bandwidth of the targeted hosts and networks when content is returned from the legitimate DNS," he said, adding that a number of mitigation solutions are now possible. 

"For example, a DNS server administrator can ensure that the resolver is not open to the Internet. Very rarely - usually only for service providers – is a resolver required to be open to the Internet. However, if necessary, rate limiting and monitoring can be applied to slow down, detect and mitigate attacks," he said. 

"ISPs can also enforce restrictions so that spoofing of addresses is not possible. Service owners, such as a Web site administrator, can only slightly mitigate the issue by dynamically allocating more bandwidth and filtering the attack at the border/ISP core, to the network affected," he added. 

Jag Bains, CTO of DDoS remediation specialist DOSarrest, said that is a need for focused DDoS protection services as his firm is seeing more and more attack vectors and agents emerge - something that he says is only going to increase as the `Internet of Things' gains further traction. 

"Strategic decision makers will need to understand what specific assets need protection and in what specific manner, and ensure they buy the right solution," he noted. 

Lamar Bailey, director of security research with Tripwire, said that home and small office modems, gateways and routers are a generally the second weakest link in a home/small office network behind printers. 

"Internet providers do update or use current technology for home user gateways and the end user is generally stuck with what every the provider gives them. The routers are generally on very old technology and not easy or possible to secure. DDoS and other attacks are very successful on these old routers," he said. 

Bailey went on to say that the ISPs need to take security more seriously and help protect their consumers. 

"In the US each region has limited options for ISPs which is almost a monopoly. This is bad for consumers and great for attackers and bot herders," he explained. 

"Internet providers do update or use current technology for home user gateways and the end user is generally stuck with what every the provider gives them. The routers are generally on very old technology and not easy or possible to secure. DDoS and other attacks are very successful on these old routers," he said. 

Bailey went on to say that the ISPs need to take security more seriously and help protect their consumers.

"In the US each region has limited options for ISPs which is almost a monopoly. This is bad for consumers and great for attackers and bot herders," he explained.

Sign up to our newsletters