Meet the new DoS - not the same as the old DoS

Meet the new DoS - not the same as the old DoS
Meet the new DoS - not the same as the old DoS

Distributed Denial of service attacks (DDoS) used to be a way to throw down the gauntlet, demonstrating tech cred, or expressing dissatisfaction with someone or something.  Today the primary motivation for DDoS is money, and services are readily available to disrupt just about anything. All that's needed is a credit card, or bitcoins. 

DDoS is all about asymmetry; carefully crafted attacks exploit protocols and/or use other Internet resources expending relatively modest energy while still getting impressive results.  Domain Name System (DNS), amplification attacks have been receiving attention lately. They rely on the fact that DNS requests of a few tens of bytes can result in responses of thousands of bytes.  Traffic can be amplified 50 times or more and there's often considerable collateral damage to servers used for amplifying traffic, and networks in the path of the ultimate target. 

In 2013 the largest DDoS attack ever recorded used DNS servers to amplify queries and generate a massive 300Gbps wave of traffic intended to swamp Spamhaus, one of the unsung heroes of the Internet that busily battles spam.  Over the years attacks have taken many forms. In some cases Authoritative servers are targeted because they're widely available and by design deployed to answer queries coming from any IP address.  “Open” DNS resolvers have been targeted for similar reasons: they're also configured to answer queries from any IP address. 

What this means is that literally anyone, anywhere on the Internet can send a query and get an answer. With amplification an attacker can send thousands, or even millions of queries, and turn them into gigabits of traffic.  The only constraints are the capacity of the server and network link.  The last trick is to spoof the source IP address (IP SA) of DNS queries so the wave of traffic can be sent absolutely anywhere on the Internet – webservers, enterprise gateways, hosting facilities.

A new attack exposes ISP resolvers to DNS amplification.  ISP resolvers tend to be generously provisioned with network bandwidth and deployed on high performance hardware so they're always responsive and highly available.  For attackers it's like a free lunch, they get to use someone else's carefully tended infrastructure to enhance their exploits. 

This new variant of DNS amplification attacks exploits the fact that consumer Internet services are nearly always provisioned with home gateways which have open DNS proxies that answer DNS queries on their WAN interface and forward them to whatever resolver they're configured to use.  In most cases this is an ISP resolver and if it is in a network with a home gateway it can become a resource readily available to attackers.  

Nominum research undertaken with openresolverproject.org shows there are more than 28 million open DNS proxies on the Internet, located in every region of the world.  And it reportst that attackers are registering domains exclusively for amplification – they have no legitimate purpose.  With answer sizes of 4k bytes and greater, these “purpose built” domains are actively used across the Internet and new ones are added constantly.  Additional research data reveals attackers continuously adapt their tactics to ensure maximum impact: regularly changing domain names, using different query types, and combining “purpose built” domains with legitimate domains offering good amplification.  

The biggest problem with these new developments is even providers who go to great lengths to protect their networks using best practices, are exposed.  Most ISP resolvers are already “closed”; IP ranges the resolver responds to are restricted.  But in this case attack-related queries appear to come from legitimate clients – the proxy obscures the spoofed IP SA.  Anti-spoofing protections don't work either because the spoofed DNS traffic enters at the network border where it is extremely difficult to detect spoofed addresses. It is also not practical to separate (filter) malicious DNS traffic from legitimate DNS traffic at the border.

To address today's amplification attacks additional protections and best practices are needed for DNS servers:

1.      Fine grained rate limits to target legitimate domains used for amplification

2.      Dynamic threat lists to block “purpose built” amplification domains, vetted to eliminate false positives

3.      Rate limits based on response size to catch malicious traffic not caught by other filters

4.      Use of truncated responses to ensure legitimate clients will get answers

5.      Logging of DNS data for forensics, reporting

Everyone needs to contribute to minimise the impact of DDoS. Network security has always been important to ISPs because it directly impacts reputation and network availability, and security is increasingly viewed as part of brand equity because subscribers expect an Internet service that always performs flawlessly and provides a safe experience.  A modest investment in additional DNS protections and processes yields big returns. Providers can preserve the subscriber experience, protect their networks and ensure their peers, and the greater Internet, aren't subjected to torrents of useless DNS traffic.

Contributed by Bruce Van Nice, director of product marketing at Nominum