DNS DDoS attacks skyrocket

Powered by SC Magazine
 

Millions of open resolvers need to be closed.

Denial of service attacks using the domain name system (DNS) have reached epidemic proportions with the number of incidents quadrupling last year, the Réseaux IP Européens Network Coordination Centre or RIPE NCC warns. 

Open DNS resolvers are popular with digital miscreants as small byte-sized queries can produce much larger responses, creating a large amount of traffic that can be several gigabits per second in size which in turn floods some of the networks the attacks are aimed at.

Large botnets of compromised and remotely controlled internet connected computers are used by attackers to make the queries with spoofed source addresses, further amplifying the volume of traffic.

The problem has been known for decades, but continues to plague the internet today, with Australia having well over a thousand open resolvers, according to internet network performance provider Cloudflare.

Latest figures from the DNS Measurement Factory show that the forty per cent of resolvers in the APNIC region are open. The total number of open resolvers is estimated by RIPE at around thirty million worldwide.

At the 66th RIPE meeting in Dublin earlier this week, security evangelist Merike Kaeo from Internet Identity noted that the attacks work very well as they're anonymous to victims, who cannot tell where they originated from.

The ISPs from whose networks the attacks originate usually aren't impacted, Kaeo stated, and only see small amounts of traffic.

Nor can the spoofed queries from botnets be blocked, and filtering the attack traffic is difficult in practice as it may block legitimate traffic, Kaeo wrote.

Solving the problem requires unmanaged open resolvers to be taken offline. Equipment vendors that ship gear that uses these must default to close them to recursive queries. 

Kaeo said ISPs and enterprises need to implement ingress and egress filtering of traffic to prevent IP address spoofing too.

Anatomy of a DNS amplification attack
Source: Merike Kaeo, Double Shot Security

The largest attack last year took place in August and was aimed at financial institutions, according to  figures from denial of service mitigation firm Prolexic. Its peak bandwidth reached 42.2 gigabit/s per second and some 2.1 million packets per second, spread across DNS and HTTP GET, UDP fragmentation and ICMP flooding attack types over ports 80, 443 and 53.

This year, a denial of service attack against anti-spam organisation Spamhaus was said to have reached 300Gbps, although that figure is in doubt.

In the first quarter of this year, Prolexic said it measured a 691 per cent increase in attack traffic, which rose from 6.1Gbps to 48.25Gbps on average compared to the same time last year. Attacks also lasted a fifth longer, reaching 34.5 hours on average.

According to Prolexic, the source of the vast majority of botnet activity was China with over 40 per cent of traffic. This marked an improvement compared to the last quarter of 2012, when Chinese denial of service traffic accounted for over 55 per cent of the total.

The United States, Germany, Iran, India and Brazil also account for large amounts of attack traffic which is usually aimed at countries with extensive network infrastructure, Prolexic said.

Copyright © iTnews.com.au . All rights reserved.


DNS DDoS attacks skyrocket
 
 
 
Top Stories
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
Photos: iTnews Benchmark 2015 finalists revealed
Awards alumni gather to celebrate.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1745

Vote
Do you support the abolition of the Office of the Information Commissioner?