Amplifying DDoS Attacks

Monday, October 29, 2012 @ 01:10 PM gHale


In the evolving chess match between opponents, attackers constantly change their distributed denial of service (DDoS) tactics in order to whip the best defenses available.

One of the new tactics adopted by attackers is the use of open DNS resolvers to amplify their attacks, which is beginning to cause problems for the organizations that come under these attacks.

RELATED STORIES
DDoS Attacks get Bigger
Blackhats Stealing Whitehat Tools
Phishing Attacks Elevate
Most Data Breaches an Inside Job

Attackers have been making good use of the numerous poorly configured open DNS resolvers in recent months, said researchers at Host Exploit, a volunteer organization that tracks malicious activity among hosting providers, in a new report.

These machines are plentiful, but it’s not just open resolvers that represent a problem. The issue arises when they end up misconfigured, allowing attackers to take advantage of weaknesses in the open resolvers to use them as electronic megaphones for their attacks.

“This can leave powerful resources vulnerable to being hijacked for the purpose of amplifying of DDoS attacks. DDoS amplification is used far more frequently now and to devastating effect. By amplifying a DDoS attack, a targeted website can be overwhelmed by its power causing system failure and service interruption. An additional benefit to the attackers is the masked origin of the attack,” said Bryn Thompson of Host Exploit.

DDoS attacks continue to be a challenge for commonly targeted organizations, including ISPs, banks, security companies and commerce sites. The ready availability of high bandwidth connections and powerful commodity servers and desktops have made large-scale DDoS attacks a common occurrence. Plentiful open DNS resolvers are just making them more powerful.

“The unrestricted passage of free flowing data packets via an open resolver that is mis-configured is simply a sitting target for the savvy intruder. DDoS amplification is used to devastating effect. Not only is the targeted website overwhelmed with the power of the attack, (in excess of 20gbps is now commonplace) but to the observer the attack appears to have come via the host. The implication for a host or registrar may be far-reaching,” the Host Exploit report said.

Open recursive nameservers are not a problem in themselves; it is the mix-configuration of a nameserver where the potential problem lays, according to the report.

The report lays out the number of open resolvers located within each of the autonomous systems that it tracks, but found no real correlation between the relative badness of a given host and how many open resolvers located in that host’s IP range.

“This reinforces the message that open resolvers themselves aren’t a problem. Even misconfigured open resolvers do not appear to cause rises of malicious activity on their own networks. Vulnerable open resolvers are generally used to amplify attacks on other networks, and as such, measuring the impact this causes is very difficult,” the report said.



Leave a Reply

You must be logged in to post a comment.