Attacks/Breaches
11/13/2013
08:00 AM
Dave Piscitello
Dave Piscitello
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The Emergence of DDoS-as-a-Service

"Legitimized" services increase DDoS threats and lend credence to the notion that information security is as much about corporate health as it is self-defense.

As if the current frequency of DDoS attacks is not enough, we’re now confronted with an emergence of "legitimized" attacks: DDoS-as-a-service (DDoSAAS).

Service? In recent articles, respected security blogger Brian Krebs exposes the advent of DDoS legitimization and interviews players in this questionable industry. What Brian learned is that these services are really straightforward: A DDoS service operator launches an attack of your choice against your target, for however long you specify.

For the ultimate in convenience, the operators often accept PayPal. Are such services widely in use? Brian’s investigations revealed that one operator alone appears accountable for over 10,000 attacks in a single week. Are they legal? The operators of the service, and their attorneys, claim that they are, or claim that they aren’t responsible for how their customers use the services they offer. For the moment, legal or not, we all must contend with DDoSAAS.

Open recursion is a key attack component
Analysis by security experts suggests that DDoS amplification (reflection) is the attack method of choice for many DDoSAAS operators. This form of DDoS attack relies on DNS resolvers that accept DNS queries from any source (recursion is thus open to all hosts). The attacks also originate from spoofed IP addresses (which you could mitigate at your datacenter firewalls by filtering source addresses if your ISP has not implemented BCP 38).

If these characteristics sound familiar, it’s because the numbers of open resolvers and networks that forward traffic from spoofed sources remains unacceptably high. The Open Resolver Project recently identified over 27 million resolvers that appear open. The daily surveys at the Measurement Factory suggest that the number is growing.

Mitigate open recursion to reduce attack infrastructure
DDoS attackers, legit or not, need infrastructure to launch attacks. We can make legitimized DDoS service less attractive if we raise the cost of doing business. This begins by taking away the open resolver infrastructure that they exploit at no cost. Mitigating open recursion, however, is inherently a community initiative: it’s not about your networks or datacenter being a target but about your recursive resolvers being enablers. The irony of legitimizing DDoS service, however, is that it shifts every organization’s motivation to reduce open recursion from selfless act to preventative measure.

Begin by referring to a public resources or explanations of how to test whether or not your resolvers are open recursive. Thinkbroadband, Measurement Factory, and VerisignLabs provide online checking tools. Measurement Factory also explains how you can do checks using command line commands dig (Linux, BSD) or nslookup (DOS).

The basis for many techniques for mitigating the threat that open recursion poses is published as an IETF Best Common Practice (BCP 140). The recommendations essentially advise that you implement access controls (ACLs) to provide name resolution only to clients you intend to serve. To disallow open recursion or to limit recursion, look at recommended configurations specific to your name server software.

As an example, Internet Systems Consortium, Inc. (ISC), the folks who develop and maintain the BIND DNS software run on many recursive resolvers discourage open recursion without an accompanying implementation of abuse mitigation or countermeasures. Consult the default configuration for BIND 9.4.1 and beyond: these versions only allow recursion for local hosts and networks. ISC recommends that you “create ACLs that match hosts that should be allowed access to cache and recursion on the servers.” You may want to consult Team Cymru’s Secure BIND Template as well.

Similar configuration resources exist for Windows Server 2003 and 2008/2012 and for Unbound as well. Other sources you may find useful are Sysadmins of the North and Cisco Systems’ DNS Best-Practices page.

Let me leave you with this final point: So-called legitimized services raise the DDoS threat level. However, on the positive side, they also help lend credence to the notion that information security is as much about corporate health or wellness as it is self-defense.

 

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.