Attacks/Breaches
11/13/2013
08:00 AM
Dave Piscitello
Dave Piscitello
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%
Repost This

The Emergence of DDoS-as-a-Service

"Legitimized" services increase DDoS threats and lend credence to the notion that information security is as much about corporate health as it is self-defense.

As if the current frequency of DDoS attacks is not enough, we’re now confronted with an emergence of "legitimized" attacks: DDoS-as-a-service (DDoSAAS).

Service? In recent articles, respected security blogger Brian Krebs exposes the advent of DDoS legitimization and interviews players in this questionable industry. What Brian learned is that these services are really straightforward: A DDoS service operator launches an attack of your choice against your target, for however long you specify.

For the ultimate in convenience, the operators often accept PayPal. Are such services widely in use? Brian’s investigations revealed that one operator alone appears accountable for over 10,000 attacks in a single week. Are they legal? The operators of the service, and their attorneys, claim that they are, or claim that they aren’t responsible for how their customers use the services they offer. For the moment, legal or not, we all must contend with DDoSAAS.

Open recursion is a key attack component
Analysis by security experts suggests that DDoS amplification (reflection) is the attack method of choice for many DDoSAAS operators. This form of DDoS attack relies on DNS resolvers that accept DNS queries from any source (recursion is thus open to all hosts). The attacks also originate from spoofed IP addresses (which you could mitigate at your datacenter firewalls by filtering source addresses if your ISP has not implemented BCP 38).

If these characteristics sound familiar, it’s because the numbers of open resolvers and networks that forward traffic from spoofed sources remains unacceptably high. The Open Resolver Project recently identified over 27 million resolvers that appear open. The daily surveys at the Measurement Factory suggest that the number is growing.

Mitigate open recursion to reduce attack infrastructure
DDoS attackers, legit or not, need infrastructure to launch attacks. We can make legitimized DDoS service less attractive if we raise the cost of doing business. This begins by taking away the open resolver infrastructure that they exploit at no cost. Mitigating open recursion, however, is inherently a community initiative: it’s not about your networks or datacenter being a target but about your recursive resolvers being enablers. The irony of legitimizing DDoS service, however, is that it shifts every organization’s motivation to reduce open recursion from selfless act to preventative measure.

Begin by referring to a public resources or explanations of how to test whether or not your resolvers are open recursive. Thinkbroadband, Measurement Factory, and VerisignLabs provide online checking tools. Measurement Factory also explains how you can do checks using command line commands dig (Linux, BSD) or nslookup (DOS).

The basis for many techniques for mitigating the threat that open recursion poses is published as an IETF Best Common Practice (BCP 140). The recommendations essentially advise that you implement access controls (ACLs) to provide name resolution only to clients you intend to serve. To disallow open recursion or to limit recursion, look at recommended configurations specific to your name server software.

As an example, Internet Systems Consortium, Inc. (ISC), the folks who develop and maintain the BIND DNS software run on many recursive resolvers discourage open recursion without an accompanying implementation of abuse mitigation or countermeasures. Consult the default configuration for BIND 9.4.1 and beyond: these versions only allow recursion for local hosts and networks. ISC recommends that you “create ACLs that match hosts that should be allowed access to cache and recursion on the servers.” You may want to consult Team Cymru’s Secure BIND Template as well.

Similar configuration resources exist for Windows Server 2003 and 2008/2012 and for Unbound as well. Other sources you may find useful are Sysadmins of the North and Cisco Systems’ DNS Best-Practices page.

Let me leave you with this final point: So-called legitimized services raise the DDoS threat level. However, on the positive side, they also help lend credence to the notion that information security is as much about corporate health or wellness as it is self-defense.

 

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web