DNS servers do hackers' dirty work

(continued from previous page)

It is generally possible to stop the more-common bot-delivered attack by blocking traffic from the attacking machines, which are identifiable. But blocking queries from DNS servers brings problems in its wake. A DNS server has a valid role to play in the workings of the Internet. Blocking traffic to a DNS server could also mean blocking legitimate users from sending e-mail or visiting a Web site.

Lowdown on Net threat

Key things to know about distributed denial-of-service attacks sent using recursive DNS queries.

Why can DNS be abused for a DDOS attack?
As many as 75 percent of all DNS servers are open to requests from anyone on the Net, a feature called "recursive queries."

How does such an attack work?
A hacker uses a botnet to send a large number of DNS queries to open DNS servers. These queries are "spoofed" to look like they come from the target of the attack. The DNS servers that receive the query will reply to that network address.

How does this amplify the attack?
A small DNS request sent out by a bot can result in a much larger response from the DNS server. The amplification factor can reach a factor higher than 70.

Why does abusing DNS protect the attacker?
The malicious traffic seen by the victim now no longer comes from the hacker's botnet, but from DNS servers. This could help hide the network of zombie PCs.

Why can't the malicious traffic be blocked?
DNS servers are play a vital role on the Internet. If a company blocks its DNS server, legitimate users may no longer be able to send e-mail or surf to its Web site.

What can be done to limit these attacks?
DNS administrators should disable the recursive functionality or limit it to their own, trusted users. Also, targets of such attacks could protect themselves using technologies designed to ward them off.

Source: "DNS Amplification Attacks" by Randal Vaughn and Gadi Evron, CNET News.com research

"That's why this is a nasty attack," said Rob Fleischman, the chief technology officer at Simplicita, a Denver-based security start-up. "The DNS system is an area that is going to be under more attack. It is going to have closer scrutiny and more security."

At the heart of the problem are so-called recursive name servers, which are DNS servers that allow queries from anyone on the Net. There are about 7.5 million DNS servers, and estimates on how many are left wide open to queries range from 600,000 to 5.6 million, according to Vaughn and Evron's report.

"People who are running these open servers need to clean up their act. They are--witting or unwitting, lazy or just don't care--participants in these attacks," Mockapetris said. "They are the Typhoid Marys of the Internet."

To protect their systems, organizations with DNS servers can disable the recursive feature that lets anyone look up addresses. Alternatively, they can manage the server settings so that the recursive feature is available only to insiders. Internet service providers, as well as businesses and individuals, are among those who run DNS servers.

Targets of DDOS attacks could protect themselves using technologies to ward of DDOS attacks, which are sold by vendors including Prolexic Technologies.

In the early days of the Internet, recursive DNS servers served mobile users and cached people's requests for Web site addresses, making the Net scale much better, Mockapetris said. An example of the latter was the day Jerry Garcia died in 1995, he said.

"Everybody was going off to find every Grateful Dead Web site everywhere in the world," he said. "The first person to do that would cache it in the DNS server of their access provider, so the next person would not have to go out to Katmandu to look it up."

But fast forward 10 years, and recursive servers should be something of the past, Mockapetris said. "Now people are looking for ways to attack the network, and the open recursive servers can be used as unwitting cat's paws in a denial-of-service attack," he said. "Once upon a time, everybody just trusted everybody, and you would say, 'Fine, use my server.' Now you have to be more careful about that."

Kaminsky agreed. "If you are a DNS administrator, you shouldn't be providing recursive services to the Internet anymore. It is unfortunately no longer a responsible thing to do," he said.

Increasingly, DNS is going to be used in attacks, experts said, and their administrators can no longer afford to be lazy.

"There are multiple of these kinds of storms that are rising, and service providers and enterprises need to figure out how to make sure that their sea walls, dams and dikes and levees are high enough to withstand them," Mockapetris said.

[ba_oren]

I use CallingID that automatically protects me from DNS spoofing

CallingID is a toolbar for Internet Explorer and Firefox that automatically protects users from Internet fraud. It uses 55 verification tests to check that it is OK to send personal or confidential information to a site and if any test fails it alerts me. DNS spoofing is one of the tests

[darbien]

bad choice....

this is an classic example of a smoke and mirror product. they show you a nice GUI interface and fool consumer into thinking they are secured..

how do they actually detect pharming? checking the domain name certainly doesn't do it, and not their 52 rules of checking (hey why not make it 521 rules, it sounds better)

I wouldn't waste $ on this crap if I were you.

[baswwe]

Porn sites on the Margin? I thought ..

I thought they were the ones rakin in the money!

[n3td3v]

Little note for the so-called experts

http://www.google.co.uk/search?hl=en&q=Akamai+attack&spell=1

http://www.google.co.uk/search?hl=en&q=Akamia+attack&meta=

http://www.google.co.uk/search?hl=en&q=Akamai+attack+n3td3v&spell=1

[n3td3v]

2 years ago

1. Thats 2 years ago. And how long before that did the attacker(s) have the idea? And today these small time experts like Gadi are posting on FD claiming they know it all. You guys at Cnet really are quoting the best folks to be asking about such techniques.

2. And theres still the Yahoo Slurp disclosure that Gadi and the others can't work out.

I guess that'll come up two years later too...

When folks like Gadi on FD can't work something out on FD, they call you a troll or tell you to goto school.

Its funny.

[hawkeyeaz1]

I don't think

I don't think this means recursive DNS is
irresponsible, I think it highlights that we
need to move beyond IPv4 to something that
doesn't just assume a connection is legit. If a
connection is made apparently from ___, then the
ACK of receipt used in file transfers (i.e.,
packet received) could serve as a "you did send
this, right?". IPv6 has some improvements over
IPv4 as well.

[Jeremiah256]

RE: IPV6

Agreed but there is no pressure to move to IPv6.

[PAStheLoD]

Why they can spoof their IP ?

Why routers at the last mile allow this? Simply because ISP-s don't care.. if this kind of attack can be done, that's because the hackers are able to spoof their IPs and that's not so hard to detect at the first few routers while the packet is inside the network of the originating ISP.

So think.

[interboogie]

Yawn

If the reporter had done more checking he would've found out that this is nothing new. It's just being "exploited" by new people in terms of utilizing for professional gain - like reporters quoting them in stories about old stuff.

[stealt403]

haha

if you would have done more checking you would have found that this point has already been made by at least two other posters.

[rdeutch]

What are the options for protecting againsts this?

It appears that Simple DNS Plus is one.
See http://blogs.jhsoft.com/jhsoft/PermaLink,guid,f43ae4a8-b3cb-43ba-b9c0-261f4a4b509c.aspx

Anyone know of anything else?

[wbenton]

Problem has been solved...

For those whom have invested in the proper hardware and software from Cisco... this problem has been forwarned for several years now and Cisco has a resolution.

Reverse lookups performed by hardware allow the latest Cisco devices (those employed with the Supervisor 32 or Supervisor 720 module) can determine whether the sender is valid or spoofed and it will drop spoofed DNS requests.

That said... this article should have been written with the title... "For those not willing to invest in proper protection... DNS continues to plage them!!!

The problem has been known for several years adn a valid solution exists... but it's only for those whom invest properly in the correct security equipment!!!

Walt

[wbenton]

Problem has been solved...

For those whom have invested in the proper hardware and software from Cisco... this problem has been forwarned for several years now and Cisco has a resolution.

Reverse lookups performed by hardware allow the latest Cisco devices (those employed with the Supervisor 32 or Supervisor 720 module) can determine whether the sender is valid or spoofed and it will drop spoofed DNS requests.

That said... this article should have been written with the title... "For those not willing to invest in proper protection... DNS continues to plage them!!!

The problem has been known for several years adn a valid solution exists... but it's only for those whom invest properly in the correct security equipment!!!

Walt

[rdeutch]

Not really...

If the Cisco device does a reverse DNS lookup on the spoofed IP address, it will still get a correct result. So how does this solve anything?

If an IP packet with a spoofed origin IP address reaches its target (or the firewall in front of it), then there is no way to tell if the packet really came from the claimed IP address or not.