DNS servers do hackers' dirty work

In a twist on distributed denial-of-service attacks, cybercriminals are using DNS servers--the phonebooks of the Internet--to amplify their assaults and disrupt online business.

Earlier this year, VeriSign experienced attacks on its systems that were larger than anything it had ever seen before, it said last week. The Mountain View, Calif.-based company, which helps companies do business on the Web, discovered that the assaults weren't coming from commandeered "bot" computers, as is common. Instead, its machines were under attack by DNS (domain name system) servers.

"DNS is now a major vector for DDOS," Dan Kaminsky, a security researcher said, referring to distributed denial-of-service attacks. "The bar has been lowered. People with fewer resources can now launch potentially crippling attacks."

Just as in any DDOS attack, the target system--which could be a victim's Web server, name server or mail server--is inundated with a multitude of data coming from multiple systems on the Internet. The goal is to make the target unreachable online by flooding the data connection or by crashing it as it tries to handle the incoming data.

Such attacks were once the tool of bored teenagers who got a kick out of seeing Web sites crumble. But these days, DDOS attacks are sometimes used by criminals looking to extort money from online businesses--especially those on the margins, such as gambling sites and the adult-entertainment industry.

"We're past the era where denial of service simply happens because kids are looking for a good time," Kaminsky said.

Unlike a commandeered PC, a DNS server is a valid and good citizen of the Internet. The systems play a critical role in connecting Web users, mapping text-based domain names such as www.cnet.com to the numerical IP addresses used by computers.

In this new kind of attack, an assailant would typically use a botnet to send a large number of queries to open DNS servers. These queries will be "spoofed" to look like they come from the target of the flooding, and the DNS server will reply to that network address.

Using DNS servers to do their dirty work offers key benefits to attackers. It hides their systems, making it harder for the victim to find the original source of the attack. But more important, reflecting an attack through a DNS server also allows the assault to be amplified, delivering a larger amount of malicious traffic to the target.

Amplified response
A single DNS query could trigger a response that is as much as 73 times larger than the request, according to a recent paper by Randal Vaughn, a professor of information systems at Baylor University, and Gadi Evron, the manager of the Computer Emergency Response Team at Israel's ministry of finance.

Once upon a time, everybody just trusted everybody, and you would say, "Fine, use my server." Now you have to be more careful about that.

--Paul Mockapetris, chief scientist, Nominum

"Relatively small DNS requests can be employed to cause significantly larger replies from a name server to the spoofed IP address," Vaughn and Evron wrote.

What happens during a DNS reflector and amplification attack could be compared with trying to jam up somebody's mailbox, said Paul Mockapetris, the inventor of DNS and chief scientist at secure DNS provider Nominum. A basic way to do that would be to write and mail a lot of letters. However, those letters would be traceable, and you would also have to spend a lot of time writing.

"A better way to do it would be to send in response-request cards--the kind you find in magazines--circle everything and fill in the target's address," Mockapetris said. "That would make more junk show up in the mailbox and eliminate the obvious link to you." And that's what is happening with this type of DDOS attack, he said.

[ba_oren]

I use CallingID that automatically protects me from DNS spoofing

CallingID is a toolbar for Internet Explorer and Firefox that automatically protects users from Internet fraud. It uses 55 verification tests to check that it is OK to send personal or confidential information to a site and if any test fails it alerts me. DNS spoofing is one of the tests

[darbien]

bad choice....

this is an classic example of a smoke and mirror product. they show you a nice GUI interface and fool consumer into thinking they are secured..

how do they actually detect pharming? checking the domain name certainly doesn't do it, and not their 52 rules of checking (hey why not make it 521 rules, it sounds better)

I wouldn't waste $ on this crap if I were you.

[baswwe]

Porn sites on the Margin? I thought ..

I thought they were the ones rakin in the money!

[n3td3v]

Little note for the so-called experts

http://www.google.co.uk/search?hl=en&q=Akamai+attack&spell=1

http://www.google.co.uk/search?hl=en&q=Akamia+attack&meta=

http://www.google.co.uk/search?hl=en&q=Akamai+attack+n3td3v&spell=1

[n3td3v]

2 years ago

1. Thats 2 years ago. And how long before that did the attacker(s) have the idea? And today these small time experts like Gadi are posting on FD claiming they know it all. You guys at Cnet really are quoting the best folks to be asking about such techniques.

2. And theres still the Yahoo Slurp disclosure that Gadi and the others can't work out.

I guess that'll come up two years later too...

When folks like Gadi on FD can't work something out on FD, they call you a troll or tell you to goto school.

Its funny.

[hawkeyeaz1]

I don't think

I don't think this means recursive DNS is
irresponsible, I think it highlights that we
need to move beyond IPv4 to something that
doesn't just assume a connection is legit. If a
connection is made apparently from ___, then the
ACK of receipt used in file transfers (i.e.,
packet received) could serve as a "you did send
this, right?". IPv6 has some improvements over
IPv4 as well.

[Jeremiah256]

RE: IPV6

Agreed but there is no pressure to move to IPv6.

[PAStheLoD]

Why they can spoof their IP ?

Why routers at the last mile allow this? Simply because ISP-s don't care.. if this kind of attack can be done, that's because the hackers are able to spoof their IPs and that's not so hard to detect at the first few routers while the packet is inside the network of the originating ISP.

So think.

[interboogie]

Yawn

If the reporter had done more checking he would've found out that this is nothing new. It's just being "exploited" by new people in terms of utilizing for professional gain - like reporters quoting them in stories about old stuff.

[stealt403]

haha

if you would have done more checking you would have found that this point has already been made by at least two other posters.

[rdeutch]

What are the options for protecting againsts this?

It appears that Simple DNS Plus is one.
See http://blogs.jhsoft.com/jhsoft/PermaLink,guid,f43ae4a8-b3cb-43ba-b9c0-261f4a4b509c.aspx

Anyone know of anything else?

[wbenton]

Problem has been solved...

For those whom have invested in the proper hardware and software from Cisco... this problem has been forwarned for several years now and Cisco has a resolution.

Reverse lookups performed by hardware allow the latest Cisco devices (those employed with the Supervisor 32 or Supervisor 720 module) can determine whether the sender is valid or spoofed and it will drop spoofed DNS requests.

That said... this article should have been written with the title... "For those not willing to invest in proper protection... DNS continues to plage them!!!

The problem has been known for several years adn a valid solution exists... but it's only for those whom invest properly in the correct security equipment!!!

Walt

[wbenton]

Problem has been solved...

For those whom have invested in the proper hardware and software from Cisco... this problem has been forwarned for several years now and Cisco has a resolution.

Reverse lookups performed by hardware allow the latest Cisco devices (those employed with the Supervisor 32 or Supervisor 720 module) can determine whether the sender is valid or spoofed and it will drop spoofed DNS requests.

That said... this article should have been written with the title... "For those not willing to invest in proper protection... DNS continues to plage them!!!

The problem has been known for several years adn a valid solution exists... but it's only for those whom invest properly in the correct security equipment!!!

Walt

[rdeutch]

Not really...

If the Cisco device does a reverse DNS lookup on the spoofed IP address, it will still get a correct result. So how does this solve anything?

If an IP packet with a spoofed origin IP address reaches its target (or the firewall in front of it), then there is no way to tell if the packet really came from the claimed IP address or not.