Although DDoS attacks have been a serious problem for more than a decade now and security staffs have a good handle on how they’re executed and how to handle them, attackers constantly adjust their tactics in order to defeat the best defenses available. One of the more recent tactics adopted by attackers is the use of open DNS resolvers to amplify their attacks, and this technique, while not novel, is beginning to cause serious problems for the organizations that come under these attacks.
Researchers associated with Host Exploit, a volunteer organization that tracks malicious activity among hosting providers, said in a new report that attackers have been making good use of the numerous poorly configured open DNS resolvers in recent months. These machines are plentiful, but it’s not just open resolvers in and of themselves that represent a problem. The issue arises when they are misconfigured, allowing attackers to take advantage of weaknesses in the open resolvers to use them as electronic megaphones for their attacks.
“This can leave powerful resources vulnerable to being hijacked for the purpose of amplifying of DDoS attacks. DDoS amplification is used far more frequently now and to devastating effect. By amplifying a DDoS attack a targeted website can be overwhelmed by its power causing system failure and service interruption. An additional benefit to the attackers is the masked origin of the attack,” Bryn Thompson of Host Exploit wrote in a blog post.
DDoS attacks continue to be a challenge for IT staffs at a variety of organizations that are commonly targeted, including ISPs, banks, security companies and popular commerce sites. The ready availability of high bandwidth connections and powerful commodity servers and desktops have made large-scale DDoS attacks a common occurrence. Plentiful open DNS resolvers are just making them more powerful.
“The unrestricted passage of free flowing data packets via an open resolver that is mis-configured is simply a sitting target for the savvy intruder. DDoS amplification is used to devastating effect. Not only is the targeted website overwhelmed with the power of the attack, (in excess of 20gbps is now commonplace) but to the observer the attack appears to have come via the host. The implication for a host or registrar may be far-reaching,” the Host Exploit report says.
“It should be stressed open recursive nameservers are not a problem in themselves; it is the mix-configuration of a nameserver where the potential problem lays.”
The report lays out the number of open resolvers located within each of the autonomous systems that it tracks, but found no real correlation between the relative badness of a given host and how many open resolvers were located in that host’s IP range.
“This reinforces the message that open resolvers themselves aren’t a problem. Even misconfigured open resolvers do not appear to cause rises of malicious activity on their own networks. Vulnerable open resolvers are generallt used to amplify attacks on other networks, and as such, measuring the impact this causes is very difficult,” the report says.