DNS DDoS attacks boom

Denial of service attacks using the domain name system (DNS) have reached epidemic proportions with the number of incidents quadrupling last year, the Réseaux IP Européens Network Coordination Centre or RIPE NCC warns. 

Open DNS resolvers are popular with digital miscreants as small byte-sized queries can produce much larger responses, creating a large amount of traffic that can be several gigabits per second in size which in turn floods some of the networks the attacks are aimed at.

Large botnets of compromised and remotely controlled internet connected computers are used by attackers to make the queries with spoofed source addresses, further amplifying the volume of traffic.

The problem has been known for decades, but continues to plague the internet today, with Australia having well over a thousand open resolvers, according to internet network performance provider Cloudflare.

Latest figures from the DNS Measurement Factory show that the forty per cent of resolvers in the APNIC region are open. The total number of open resolvers is estimated by RIPE at around thirty million worldwide.

At the 66th RIPE meeting in Dublin earlier this week, Internet Identity security evangelist Merike Kaeo noted that the attacks work very well as they're anonymous to victims, who cannot tell where they originated from.

The ISPs from whose networks the attacks originate usually aren't impacted, Kaeo stated, and only see small amounts of traffic.

Nor can the spoofed queries from botnets be blocked, and filtering the attack traffic is difficult in practice as it may block legitimate traffic, Kaeo wrote.

Solving the problem requires unmanaged open resolvers to be taken offline. Equipment vendors that ship gear that uses these must default to close them to recursive queries. 

Kaeo said ISPs and enterprises need to implement ingress and egress filtering of traffic to prevent IP address spoofing too.

Source: Merike Kaeo, Double Shot Security

The largest attack last year took place in August and was aimed at financial institutions, according to  figures from denial of service mitigation firm Prolexic. Its peak bandwidth reached 42.2 gigabit/s per second and some 2.1 million packets per second, spread across DNS and HTTP GET, UDP fragmentation and ICMP flooding attack types over ports 80, 443 and 53.

This year, a denial of service attack against anti-spam organisation Spamhaus was said to have reached 300Gbps, although that figure is in doubt.

In the first quarter of this year, Prolexic said it measured a 691 per cent increase in attack traffic, which rose from 6.1Gbps to 48.25Gbps on average compared to the same time last year. Attacks also lasted a fifth longer, reaching 34.5 hours on average.

According to Prolexic, the source of the vast majority of botnet activity was China with over 40 per cent of traffic. This marked an improvement compared to the last quarter of 2012, when Chinese denial of service traffic accounted for over 55 per cent of the total.

The United States, Germany, Iran, India and Brazil also account for large amounts of attack traffic which is usually aimed at countries with extensive network infrastructure, Prolexic said.