In a twist on distributed denial-of-service attacks, cybercriminals are using DNS servers--the phonebooks of the Internet--to amplify their assaults and disrupt online business.
Earlier this year, VeriSign experienced attacks on its systems that were larger than anything it had ever seen before, it said last week. The Mountain View, Calif.-based company, which helps companies do business on the Web, discovered that the assaults weren't coming from commandeered "bot" computers, as is common. Instead, its machines were under attack by DNS (domain name system) servers.
"DNS is now a major vector for DDOS," Dan Kaminsky, a security researcher said, referring to distributed denial-of-service attacks. "The bar has been lowered. People with fewer resources can now launch potentially crippling attacks."
Just as in any DDOS attack, the target system--which could be a victim's Web server, name server or mail server--is inundated with a multitude of data coming from multiple systems on the Internet. The goal is to make the target unreachable online by flooding the data connection or by crashing it as it tries to handle the incoming data.
Such attacks were once the tool of bored teenagers who got a kick out of seeing Web sites crumble. But these days, DDOS attacks are sometimes used by criminals looking to extort money from online businesses--especially those on the margins, such as gambling sites and the adult-entertainment industry.
"We're past the era where denial of service simply happens because kids are looking for a good time," Kaminsky said.
Unlike a commandeered PC, a DNS server is a valid and good citizen of the Internet. The systems play a critical role in connecting Web users, mapping text-based domain names such as www.cnet.com to the numerical IP addresses used by computers.
In this new kind of attack, an assailant would typically use a botnet to send a large number of queries to open DNS servers. These queries will be "spoofed" to look like they come from the target of the flooding, and the DNS server will reply to that network address.
Using DNS servers to do their dirty work offers key benefits to attackers. It hides their systems, making it harder for the victim to find the original source of the attack. But more important, reflecting an attack through a DNS server also allows the assault to be amplified, delivering a larger amount of malicious traffic to the target.
Amplified response
A single DNS query could trigger a response that is as much as 73 times larger than the request, according to a recent paper by Randal Vaughn, a professor of information systems at Baylor University, and Gadi Evron, the manager of the Computer Emergency Response Team at Israel's ministry of finance.
Once upon a time, everybody just trusted everybody, and you would say, "Fine, use my server." Now you have to be more careful about that.
--Paul Mockapetris, chief scientist, Nominum
"Relatively small DNS requests can be employed to cause significantly larger replies from a name server to the spoofed IP address," Vaughn and Evron wrote.
What happens during a DNS reflector and amplification attack could be compared with trying to jam up somebody's mailbox, said Paul Mockapetris, the inventor of DNS and chief scientist at secure DNS provider Nominum. A basic way to do that would be to write and mail a lot of letters. However, those letters would be traceable, and you would also have to spend a lot of time writing.
"A better way to do it would be to send in response-request cards--the kind you find in magazines--circle everything and fill in the target's address," Mockapetris said. "That would make more junk show up in the mailbox and eliminate the obvious link to you." And that's what is happening with this type of DDOS attack, he said.
I use CallingID that automatically protects me from DNS spoofing
CallingID is a toolbar for Internet Explorer and Firefox that automatically protects users from Internet fraud. It uses 55 verification tests to check that it is OK to send personal or confidential information to a site and if any test fails it alerts me. DNS spoofing is one of the tests
this is an classic example of a smoke and mirror product. they show you a nice GUI interface and fool consumer into thinking they are secured..
how do they actually detect pharming? checking the domain name certainly doesn't do it, and not their 52 rules of checking (hey why not make it 521 rules, it sounds better)
1. Thats 2 years ago. And how long before that did the attacker(s) have the idea? And today these small time experts like Gadi are posting on FD claiming they know it all. You guys at Cnet really are quoting the best folks to be asking about such techniques.
2. And theres still the Yahoo Slurp disclosure that Gadi and the others can't work out.
I guess that'll come up two years later too...
When folks like Gadi on FD can't work something out on FD, they call you a troll or tell you to goto school.
I don't think this means recursive DNS is irresponsible, I think it highlights that we need to move beyond IPv4 to something that doesn't just assume a connection is legit. If a connection is made apparently from ___, then the ACK of receipt used in file transfers (i.e., packet received) could serve as a "you did send this, right?". IPv6 has some improvements over IPv4 as well.
Why routers at the last mile allow this? Simply because ISP-s don't care.. if this kind of attack can be done, that's because the hackers are able to spoof their IPs and that's not so hard to detect at the first few routers while the packet is inside the network of the originating ISP.
If the reporter had done more checking he would've found out that this is nothing new. It's just being "exploited" by new people in terms of utilizing for professional gain - like reporters quoting them in stories about old stuff.
What are the options for protecting againsts this?
It appears that Simple DNS Plus is one. See <a class="jive-link-external" href="http://blogs.jhsoft.com/jhsoft/PermaLink,guid,f43ae4a8-b3cb-43ba-b9c0-261f4a4b509c.aspx" target="_newWindow">http://blogs.jhsoft.com/jhsoft/PermaLink,guid,f43ae4a8-b3cb-43ba-b9c0-261f4a4b509c.aspx</a>
For those whom have invested in the proper hardware and software from Cisco... this problem has been forwarned for several years now and Cisco has a resolution.
Reverse lookups performed by hardware allow the latest Cisco devices (those employed with the Supervisor 32 or Supervisor 720 module) can determine whether the sender is valid or spoofed and it will drop spoofed DNS requests.
That said... this article should have been written with the title... "For those not willing to invest in proper protection... DNS continues to plage them!!!
The problem has been known for several years adn a valid solution exists... but it's only for those whom invest properly in the correct security equipment!!!
For those whom have invested in the proper hardware and software from Cisco... this problem has been forwarned for several years now and Cisco has a resolution.
Reverse lookups performed by hardware allow the latest Cisco devices (those employed with the Supervisor 32 or Supervisor 720 module) can determine whether the sender is valid or spoofed and it will drop spoofed DNS requests.
That said... this article should have been written with the title... "For those not willing to invest in proper protection... DNS continues to plage them!!!
The problem has been known for several years adn a valid solution exists... but it's only for those whom invest properly in the correct security equipment!!!
If the Cisco device does a reverse DNS lookup on the spoofed IP address, it will still get a correct result. So how does this solve anything?
If an IP packet with a spoofed origin IP address reaches its target (or the firewall in front of it), then there is no way to tell if the packet really came from the claimed IP address or not.
To everyone complaining about this being 'old info':
I'm just now researching this in 2011 and find this article to be very helpful in understanding how to secure my own network. So really, no well-written article is ever truly outdated because there are newbie hackers and newbie users to fight them off in every generation, every year.
Thanks for the well-written article, CNET. For this reader, it was timely and informative.
Chinese authorities have reportedly taken iPads from a third-party retailer, a move apparently brought on by Apple's continued refusal to honor a trademark for the iPad name owned by a Chinese manufacturer.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
After a higher-than-expected fourth quarter, the video subscription service unburdens itself of a pending yearlong class action suit and settles for $9 million.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
This week, we pass around Sony's new PlayStation Vita for some hands-on testing, check out HP's newest Beats Audio laptop, and debate the best and worst Valentine's Day gadget gifts.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
how do they actually detect pharming? checking the domain name certainly doesn't do it, and not their 52 rules of checking (hey why not make it 521 rules, it sounds better)
I wouldn't waste $ on this crap if I were you.
<a class="jive-link-external" href="http://www.google.co.uk/search?hl=en&q=Akamia+attack&meta=" target="_newWindow">http://www.google.co.uk/search?hl=en&q=Akamia+attack&meta=</a>
<a class="jive-link-external" href="http://www.google.co.uk/search?hl=en&q=Akamai+attack+n3td3v&spell=1" target="_newWindow">http://www.google.co.uk/search?hl=en&q=Akamai+attack+n3td3v&spell=1</a>
2. And theres still the Yahoo Slurp disclosure that Gadi and the others can't work out.
I guess that'll come up two years later too...
When folks like Gadi on FD can't work something out on FD, they call you a troll or tell you to goto school.
Its funny.
irresponsible, I think it highlights that we
need to move beyond IPv4 to something that
doesn't just assume a connection is legit. If a
connection is made apparently from ___, then the
ACK of receipt used in file transfers (i.e.,
packet received) could serve as a "you did send
this, right?". IPv6 has some improvements over
IPv4 as well.
So think.
See <a class="jive-link-external" href="http://blogs.jhsoft.com/jhsoft/PermaLink,guid,f43ae4a8-b3cb-43ba-b9c0-261f4a4b509c.aspx" target="_newWindow">http://blogs.jhsoft.com/jhsoft/PermaLink,guid,f43ae4a8-b3cb-43ba-b9c0-261f4a4b509c.aspx</a>
Anyone know of anything else?
Reverse lookups performed by hardware allow the latest Cisco devices (those employed with the Supervisor 32 or Supervisor 720 module) can determine whether the sender is valid or spoofed and it will drop spoofed DNS requests.
That said... this article should have been written with the title... "For those not willing to invest in proper protection... DNS continues to plage them!!!
The problem has been known for several years adn a valid solution exists... but it's only for those whom invest properly in the correct security equipment!!!
Walt
Reverse lookups performed by hardware allow the latest Cisco devices (those employed with the Supervisor 32 or Supervisor 720 module) can determine whether the sender is valid or spoofed and it will drop spoofed DNS requests.
That said... this article should have been written with the title... "For those not willing to invest in proper protection... DNS continues to plage them!!!
The problem has been known for several years adn a valid solution exists... but it's only for those whom invest properly in the correct security equipment!!!
Walt
If an IP packet with a spoofed origin IP address reaches its target (or the firewall in front of it), then there is no way to tell if the packet really came from the claimed IP address or not.
I'm just now researching this in 2011 and find this article to be very helpful in understanding how to secure my own network. So really, no well-written article is ever truly outdated because there are newbie hackers and newbie users to fight them off in every generation, every year.
Thanks for the well-written article, CNET. For this reader, it was timely and informative.