Attacks/Breaches

11/13/2013
08:00 AM
Dave Piscitello
Dave Piscitello
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The Emergence of DDoS-as-a-Service

"Legitimized" services increase DDoS threats and lend credence to the notion that information security is as much about corporate health as it is self-defense.

As if the current frequency of DDoS attacks is not enough, we’re now confronted with an emergence of "legitimized" attacks: DDoS-as-a-service (DDoSAAS).

Service? In recent articles, respected security blogger Brian Krebs exposes the advent of DDoS legitimization and interviews players in this questionable industry. What Brian learned is that these services are really straightforward: A DDoS service operator launches an attack of your choice against your target, for however long you specify.

For the ultimate in convenience, the operators often accept PayPal. Are such services widely in use? Brian’s investigations revealed that one operator alone appears accountable for over 10,000 attacks in a single week. Are they legal? The operators of the service, and their attorneys, claim that they are, or claim that they aren’t responsible for how their customers use the services they offer. For the moment, legal or not, we all must contend with DDoSAAS.

Open recursion is a key attack component
Analysis by security experts suggests that DDoS amplification (reflection) is the attack method of choice for many DDoSAAS operators. This form of DDoS attack relies on DNS resolvers that accept DNS queries from any source (recursion is thus open to all hosts). The attacks also originate from spoofed IP addresses (which you could mitigate at your datacenter firewalls by filtering source addresses if your ISP has not implemented BCP 38).

If these characteristics sound familiar, it’s because the numbers of open resolvers and networks that forward traffic from spoofed sources remains unacceptably high. The Open Resolver Project recently identified over 27 million resolvers that appear open. The daily surveys at the Measurement Factory suggest that the number is growing.

Mitigate open recursion to reduce attack infrastructure
DDoS attackers, legit or not, need infrastructure to launch attacks. We can make legitimized DDoS service less attractive if we raise the cost of doing business. This begins by taking away the open resolver infrastructure that they exploit at no cost. Mitigating open recursion, however, is inherently a community initiative: it’s not about your networks or datacenter being a target but about your recursive resolvers being enablers. The irony of legitimizing DDoS service, however, is that it shifts every organization’s motivation to reduce open recursion from selfless act to preventative measure.

Begin by referring to a public resources or explanations of how to test whether or not your resolvers are open recursive. Thinkbroadband, Measurement Factory, and VerisignLabs provide online checking tools. Measurement Factory also explains how you can do checks using command line commands dig (Linux, BSD) or nslookup (DOS).

The basis for many techniques for mitigating the threat that open recursion poses is published as an IETF Best Common Practice (BCP 140). The recommendations essentially advise that you implement access controls (ACLs) to provide name resolution only to clients you intend to serve. To disallow open recursion or to limit recursion, look at recommended configurations specific to your name server software.

As an example, Internet Systems Consortium, Inc. (ISC), the folks who develop and maintain the BIND DNS software run on many recursive resolvers discourage open recursion without an accompanying implementation of abuse mitigation or countermeasures. Consult the default configuration for BIND 9.4.1 and beyond: these versions only allow recursion for local hosts and networks. ISC recommends that you “create ACLs that match hosts that should be allowed access to cache and recursion on the servers.” You may want to consult Team Cymru’s Secure BIND Template as well.

Similar configuration resources exist for Windows Server 2003 and 2008/2012 and for Unbound as well. Other sources you may find useful are Sysadmins of the North and Cisco Systems’ DNS Best-Practices page.

Let me leave you with this final point: So-called legitimized services raise the DDoS threat level. However, on the positive side, they also help lend credence to the notion that information security is as much about corporate health or wellness as it is self-defense.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-9036
PUBLISHED: 2018-06-20
CheckSec Canopy 3.x before 3.0.7 has stored XSS via the Login Page Disclaimer, allowing attacks by low-privileged users against higher-privileged users.
CVE-2018-12327
PUBLISHED: 2018-06-20
Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq ...
CVE-2018-12558
PUBLISHED: 2018-06-20
The parse() method in the Email::Address module through 1.909 for Perl is vulnerable to Algorithmic complexity on specially prepared input, leading to Denial of Service. Prepared special input that caused this problem contained 30 form-field characters ("\f").
CVE-2018-6563
PUBLISHED: 2018-06-20
Multiple cross-site request forgery (CSRF) vulnerabilities in totemomail Encryption Gateway before 6.0.0_Build_371 allow remote attackers to hijack the authentication of users for requests that (1) change user settings, (2) send emails, or (3) change contact information by leveraging lack of an anti...
CVE-2018-1120
PUBLISHED: 2018-06-20
A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call t...