March 24, 2006 4:00 AM PST

DNS servers do hackers' dirty work

In a twist on distributed denial-of-service attacks, cybercriminals are using DNS servers--the phonebooks of the Internet--to amplify their assaults and disrupt online business.

Earlier this year, VeriSign experienced attacks on its systems that were larger than anything it had ever seen before, it said last week. The Mountain View, Calif.-based company, which helps companies do business on the Web, discovered that the assaults weren't coming from commandeered "bot" computers, as is common. Instead, its machines were under attack by DNS (domain name system) servers.

"DNS is now a major vector for DDOS," Dan Kaminsky, a security researcher said, referring to distributed denial-of-service attacks. "The bar has been lowered. People with fewer resources can now launch potentially crippling attacks."

Just as in any DDOS attack, the target system--which could be a victim's Web server, name server or mail server--is inundated with a multitude of data coming from multiple systems on the Internet. The goal is to make the target unreachable online by flooding the data connection or by crashing it as it tries to handle the incoming data.

Such attacks were once the tool of bored teenagers who got a kick out of seeing Web sites crumble. But these days, DDOS attacks are sometimes used by criminals looking to extort money from online businesses--especially those on the margins, such as gambling sites and the adult-entertainment industry.

"We're past the era where denial of service simply happens because kids are looking for a good time," Kaminsky said.

Unlike a commandeered PC, a DNS server is a valid and good citizen of the Internet. The systems play a critical role in connecting Web users, mapping text-based domain names such as www.cnet.com to the numerical IP addresses used by computers.

In this new kind of attack, an assailant would typically use a botnet to send a large number of queries to open DNS servers. These queries will be "spoofed" to look like they come from the target of the flooding, and the DNS server will reply to that network address.

Using DNS servers to do their dirty work offers key benefits to attackers. It hides their systems, making it harder for the victim to find the original source of the attack. But more important, reflecting an attack through a DNS server also allows the assault to be amplified, delivering a larger amount of malicious traffic to the target.

Amplified response
A single DNS query could trigger a response that is as much as 73 times larger than the request, according to a recent paper by Randal Vaughn, a professor of information systems at Baylor University, and Gadi Evron, the manager of the Computer Emergency Response Team at Israel's ministry of finance.

Once upon a time, everybody just trusted everybody, and you would say, "Fine, use my server." Now you have to be more careful about that.
--Paul Mockapetris, chief scientist, Nominum

"Relatively small DNS requests can be employed to cause significantly larger replies from a name server to the spoofed IP address," Vaughn and Evron wrote.

What happens during a DNS reflector and amplification attack could be compared with trying to jam up somebody's mailbox, said Paul Mockapetris, the inventor of DNS and chief scientist at secure DNS provider Nominum. A basic way to do that would be to write and mail a lot of letters. However, those letters would be traceable, and you would also have to spend a lot of time writing.

"A better way to do it would be to send in response-request cards--the kind you find in magazines--circle everything and fill in the target's address," Mockapetris said. "That would make more junk show up in the mailbox and eliminate the obvious link to you." And that's what is happening with this type of DDOS attack, he said.

CONTINUED: Blocking the reflection…
Page 1 | 2

See more CNET content tagged:
DNS server, Nominum Inc., DNS, VeriSign Inc., assault

14 comments

Join the conversation!
Add your comment
I use CallingID that automatically protects me from DNS spoofing
CallingID is a toolbar for Internet Explorer and Firefox that automatically protects users from Internet fraud. It uses 55 verification tests to check that it is OK to send personal or confidential information to a site and if any test fails it alerts me. DNS spoofing is one of the tests
Posted by ba_oren (16 comments )
Reply Link Flag
bad choice....
this is an classic example of a smoke and mirror product. they show you a nice GUI interface and fool consumer into thinking they are secured..

how do they actually detect pharming? checking the domain name certainly doesn't do it, and not their 52 rules of checking (hey why not make it 521 rules, it sounds better)

I wouldn't waste $ on this crap if I were you.
Posted by darbien (3 comments )
Link Flag
Porn sites on the Margin? I thought ..
I thought they were the ones rakin in the money!
Posted by baswwe (299 comments )
Reply Link Flag
I don't think
I don't think this means recursive DNS is
irresponsible, I think it highlights that we
need to move beyond IPv4 to something that
doesn't just assume a connection is legit. If a
connection is made apparently from ___, then the
ACK of receipt used in file transfers (i.e.,
packet received) could serve as a "you did send
this, right?". IPv6 has some improvements over
IPv4 as well.
Posted by hawkeyeaz1 (569 comments )
Reply Link Flag
RE: IPV6
Agreed but there is no pressure to move to IPv6.
Posted by Jeremiah256 (28 comments )
Link Flag
Why they can spoof their IP ?
Why routers at the last mile allow this? Simply because ISP-s don't care.. if this kind of attack can be done, that's because the hackers are able to spoof their IPs and that's not so hard to detect at the first few routers while the packet is inside the network of the originating ISP.

So think.
Posted by PAStheLoD (1 comment )
Reply Link Flag
Yawn
If the reporter had done more checking he would've found out that this is nothing new. It's just being "exploited" by new people in terms of utilizing for professional gain - like reporters quoting them in stories about old stuff.
Posted by interboogie (1 comment )
Reply Link Flag
haha
if you would have done more checking you would have found that this point has already been made by at least two other posters.
Posted by stealt403 (48 comments )
Link Flag
What are the options for protecting againsts this?
It appears that Simple DNS Plus is one.
See <a class="jive-link-external" href="http://blogs.jhsoft.com/jhsoft/PermaLink,guid,f43ae4a8-b3cb-43ba-b9c0-261f4a4b509c.aspx" target="_newWindow">http://blogs.jhsoft.com/jhsoft/PermaLink,guid,f43ae4a8-b3cb-43ba-b9c0-261f4a4b509c.aspx</a>

Anyone know of anything else?
Posted by rdeutch (2 comments )
Reply Link Flag
Problem has been solved...
For those whom have invested in the proper hardware and software from Cisco... this problem has been forwarned for several years now and Cisco has a resolution.

Reverse lookups performed by hardware allow the latest Cisco devices (those employed with the Supervisor 32 or Supervisor 720 module) can determine whether the sender is valid or spoofed and it will drop spoofed DNS requests.

That said... this article should have been written with the title... "For those not willing to invest in proper protection... DNS continues to plage them!!!

The problem has been known for several years adn a valid solution exists... but it's only for those whom invest properly in the correct security equipment!!!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Problem has been solved...
For those whom have invested in the proper hardware and software from Cisco... this problem has been forwarned for several years now and Cisco has a resolution.

Reverse lookups performed by hardware allow the latest Cisco devices (those employed with the Supervisor 32 or Supervisor 720 module) can determine whether the sender is valid or spoofed and it will drop spoofed DNS requests.

That said... this article should have been written with the title... "For those not willing to invest in proper protection... DNS continues to plage them!!!

The problem has been known for several years adn a valid solution exists... but it's only for those whom invest properly in the correct security equipment!!!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Not really...
If the Cisco device does a reverse DNS lookup on the spoofed IP address, it will still get a correct result. So how does this solve anything?

If an IP packet with a spoofed origin IP address reaches its target (or the firewall in front of it), then there is no way to tell if the packet really came from the claimed IP address or not.
Posted by rdeutch (2 comments )
Link Flag
To everyone complaining about this being 'old info':

I'm just now researching this in 2011 and find this article to be very helpful in understanding how to secure my own network. So really, no well-written article is ever truly outdated because there are newbie hackers and newbie users to fight them off in every generation, every year.

Thanks for the well-written article, CNET. For this reader, it was timely and informative.
Posted by kandiamo (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.