New denial-of-service threat emerges

By Dawn Kawamoto
Staff Writer, CNET News.com Published: March 16, 2006 2:53 PM PST

Tools

Related Stories: Bots slim down to get tough
November 16, 2005; 'Bot herders' may have controlled 1.5 million PCs
October 21, 2005; DNS servers--an Internet Achilles' heel
August 3, 2005; New worm poses DoS attack threat
October 31, 2003

A new kind of denial-of-service attack has emerged that delivers a heftier blow to organizations' systems than previously seen DOS threats, according to VeriSign's security chief.

The new DOS attacks first emerged in late December and kicked into high gear in January, before dying down four weeks ago, said Ken Silva, VeriSign's chief security officer. In less than two months, 1,500 separate Internet Protocol addresses were attacked using this method, he noted.

"These attacks have been significantly larger than anything we've seen," he said.

Under a more common DOS attack, a network of bots, or compromised PCs commandeered by remote attackers, directly inundates a victim's Web server, name server or mail server with a multitude of queries. The goal of a DOS attack is to crash the victim's system, as it tries to respond to the requests.

But in this latest spate of DOS attacks, bots are sending queries to DNS (domain name system) servers with the return address pointed at the targeted victim. As a result, the DNS server, rather than the bot, makes the direct attack on the victim. The net result is a stronger attack and an increased difficulty in stopping it, Silva said.

While it is possible to stop a bot-delivered DOS attack by blocking the bot's IP address, blocking queries from DNS servers would prove more difficult, Silva said. He noted that companies could reconfigure their DNS servers to prevent the so-called recursive name service feature, as a possible solution. But he added that companies may be loath to prevent potential customers, partners, researchers and others from sending queries to their DNS.

More from News.com on this story's topics: Security
Create an email alert | RSS feed; Domain names
Create an email alert | RSS feed; Security threats
Create an email alert | RSS feed; Hacking
Create an email alert | RSS feed; VeriSign
Create an email alert | RSS feed

See more CNET content tagged:
denial of service, VeriSign Inc., DNS server, bot, query

Add a Comment (Log in or register) 5 comments (Page 1 of 1)

This is just PR for VeriSign
by andrew999999999 March 16, 2006 3:47 PM PST: This is just a PR campaign by VeriSign to try to defend attacks about its new .com price hike agreement:
http://domainnamewire.com/2006/03/16/verisign-spin-machine-moves-into-high-gear/; Reply to this comment View reply
Processing

ISN'T THIS OLD
by Jeremiah256 March 17, 2006 5:00 PM PST: Correct me if I'm wrong but isn't this just DR-DOS - Distributed Reflection Denial Of Service? It's been documented since at least 2002. Search around Steve Gibson's website (http://grc.com). He documents how he upset some kid and got blasted off the net by a DR-DOS attack using some of the internet's most power servers.; Reply to this comment

What ever happened to 3-way handshakes?
by wbenton March 19, 2006 7:58 AM PST: DNS replies are returned to DNS requests. Thus if the requester drops anything that doesn't match the 3-way handshake... the problem can be staved off.

3-way handshaking has been around for quite a few years now and thus it's nothing new... except for those whom have yet to implement it.

Thus even if you receive a DNS reply which you didn't ask for... 3-way handshaking should drop the packet because it wasn't requested... even if it's from your own DNS server!

Walt; Reply to this comment View reply
Processing