New denial-of-service threat emerges

A new kind of denial-of-service attack has emerged that delivers a heftier blow to organizations' systems than previously seen DOS threats, according to VeriSign's security chief.

The new DOS attacks first emerged in late December and kicked into high gear in January, before dying down four weeks ago, said Ken Silva, VeriSign's chief security officer. In less than two months, 1,500 separate Internet Protocol addresses were attacked using this method, he noted.

"These attacks have been significantly larger than anything we've seen," he said.

Under a more common DOS attack, a network of bots, or compromised PCs commandeered by remote attackers, directly inundates a victim's Web server, name server or mail server with a multitude of queries. The goal of a DOS attack is to crash the victim's system, as it tries to respond to the requests.

But in this latest spate of DOS attacks, bots are sending queries to DNS (domain name system) servers with the return address pointed at the targeted victim. As a result, the DNS server, rather than the bot, makes the direct attack on the victim. The net result is a stronger attack and an increased difficulty in stopping it, Silva said.

While it is possible to stop a bot-delivered DOS attack by blocking the bot's IP address, blocking queries from DNS servers would prove more difficult, Silva said. He noted that companies could reconfigure their DNS servers to prevent the so-called recursive name service feature, as a possible solution. But he added that companies may be loath to prevent potential customers, partners, researchers and others from sending queries to their DNS.

[andrew999999999]

This is just PR for VeriSign

This is just a PR campaign by VeriSign to try to defend attacks about its new .com price hike agreement:
<a class="jive-link-external" href="http://domainnamewire.com/2006/03/16/verisign-spin-machine-moves-into-high-gear/" target="_newWindow">http://domainnamewire.com/2006/03/16/verisign-spin-machine-moves-into-high-gear/</a>

[Seaspray0]

Wrong

It's a story about a new type of DOS attack. Since the attack goes through DNS servers, it is related to verisign as they are in the business of providing DNS services to the internet. The story, in no way, is good information about verisign as they currently have no way of stopping this type of attack, so how can you claim it PR?

[Jeremiah256]

ISN'T THIS OLD

Correct me if I'm wrong but isn't this just DR-DOS - Distributed Reflection Denial Of Service? It's been documented since at least 2002. Search around Steve Gibson's website (<a class="jive-link-external" href="http://grc.com" target="_newWindow">http://grc.com</a>). He documents how he upset some kid and got blasted off the net by a DR-DOS attack using some of the internet's most power servers.

[wbenton]

What ever happened to 3-way handshakes?

DNS replies are returned to DNS requests. Thus if the requester drops anything that doesn't match the 3-way handshake... the problem can be staved off.

3-way handshaking has been around for quite a few years now and thus it's nothing new... except for those whom have yet to implement it.

Thus even if you receive a DNS reply which you didn't ask for... 3-way handshaking should drop the packet because it wasn't requested... even if it's from your own DNS server!

Walt

[Jeremiah256]

RE: THREE WAY HANDSHAKE

Someone correct me if I'm wrong but I think the problem is the amount of packets sent to your site. If your site drops it and the DNS server doesn't receive a response, correct me if I'm wrong, it'll try again a few more times assuming the packet was dropped. These people are collecting the address of vast numbers of DNS servers (and other servers) and will spoof your site at all of them. It becomes a bandwidth issue.