DNS providers Nominum have published new data on DNS-based DDoS amplification attacks that are using home and small office routers as a jumping off point.
The provider said that in February alone, more than five million home routers were used to generate attack traffic; that number represents more than one-fifth of the 24 million routers online that have open DNS proxies.
The impact hits Internet service providers (ISPs) especially hard because amplification attacks not only consume bandwidth, but also drive up support costs and impact customer confidence in their ISP, Nominum said.
“Existing in-place DDoS defenses do not work against today’s amplification attacks, which can be launched by any criminal who wants to achieve maximum damage with minimum effort,” said Sanjay Kapoor, CMO and SVP of Strategy, Nominum. “Even if ISPs employ best practices to protect their networks, they can still become victims, thanks to the inherent vulnerability in open DNS proxies.”
Craig Young, senior security researcher with Tripwire, said the problem can largely be traced to weak default configurations on the home and SOHO routers.
“They shouldn’t have open DNS resolvers on the Net,” Young said. “Routers are designed so that someone inside the network can send a DNS request to the router, which passes that on to the ISP, which sends the request back to you inside the network. That’s fine and proper. What’s not fine is when someone else can send a message to an external interface and have the router send that to the ISP.”
Outsiders can take advantage of these open resolvers, spoof traffic and amplify the size of the request coming back. With a botnet, for example, this can quickly escalate and cause a denial-of-service condition against large organizations that criminals can find particularly effective in extortion schemes or hacktivism.
“DDoS has always relied on address spoofing so anything can be targeted and traffic cannot be traced to its origin; but as with any exploit, attackers continuously refine their tactics,” Nominum said in its report. “The new and dangerous DNS DDoS innovation has emerged, where attackers exploit a backdoor into provider networks: tens of millions of open DNS proxies scattered across the Internet. A few thousand can create Gigabits of unwanted traffic.”
In the past 18 months, the volume of bad traffic used in DDoS attacks has skyrocketed to unprecedented levels. A year ago, 300 Gbps DDoS attacks launched against Spamhaus reached 300 Gbps, causing the blacklist service to drop offline for periods of time. Earlier this year, that threshold was surpassed when traffic optimization firm CloudFlare reported it had fought back a 400 Gbps DDoS attack for one of its European customers. The attackers took advantage of a weakness in the Network Time Protocol (NTP) to amplify the volume of that attack, while in the Spamhaus attack, the attackers took advantage of open DNS resolvers.
Nominum said ISPs can resolve the spoofing issue, in particular with regard to home routers.
“Solving the open resolver problem is straightforward: configure production resolvers properly (restrict access to IP ranges controlled by the server operator) and seek out long forgotten and malicious servers and shut them down,” Nominum said. “This is not to suggest it’s a trivial undertaking, this advice has been around a long time and the problem persists.”
Tripwire’s Young said ISPs could also filter against reputation lists which share attack information among providers to recognize DNS requests for domains that are part of an attack. Those packets could then be dropped.
“It’s not hard to have a DDoS-specific system and recognize abnormal patterns, apply rate-limiting, and drop traffic,” Young said.
