Attacks/Breaches
4/4/2014
08:15 AM
Connect Directly
RSS
E-Mail
50%
50%

Nominum: 24 Million Home Routers Exposing ISPs to DDoS Attacks

Even Internet service providers that go to great lengths to protect their networks are vulnerable.

Tens of millions of home routers are exposing Internet service provider networks to DNS-based distributed denial-of-service (DDoS) attacks, according to new research from DNS software and security provider Nominum.

According to estimates from the company, more than 24 million home routers on the Internet have open DNS proxies that expose ISPs to DNS-based DDoS attacks. In February alone, more than 5.3 million of these routers were used to generate attack traffic, while in January, more than 70 percent of total DNS traffic on one provider's network was associated with DNS amplification.

In a DNS amplification attack, publically accessible open DNS servers are used to flood a system with DNS response traffic.

"The attacks are difficult to combat because there are still many places in the world where it is possible for attackers to spoof IP addresses," says Bruce van Nice, director of product marketing at Nominum. "Even providers who go to great lengths to protect their networks can be exposed, because not everyone is as diligent as they are. DNS is also a critical and universally used protocol, so network-based filters can be very unworkable due to the complexity they introduce.

(Image: Cyber Inz)
(Image: Cyber Inz)

"The last problem," he tells us, "is home routers are purchased and managed by consumers. Providers may have no control over them, so it is very difficult to change their configuration to remove problems such as this. The best way to address the problem is to make DNS servers smarter -- equip them with fine-grained capabilities to manage malicious traffic while ensuring legitimate traffic is always permitted."

DNS has emerged as one of the most popular protocols for launching amplification attacks, but it is not the only one. NTP amplification attacks are common as well. According to a report from Incapsula, now part of Imperva, the number of NTP amplification attacks jumped significantly during January and February. Still, DNS amplification represented nearly 35 percent of the large-scale events (+20 Gbit/s) covered in 2013 and early 2014.

"DNS attacks are nothing new; it’s one of the most common high-volume approaches, and it’s not surprising that they’re still growing in frequency," says Shawn Marck, chief security officer at Black Lotus. "We’re seeing a rise in DrDoS [distributed reflection denial-of-service] attacks, a strategy that frequently targets DNS daemons, and far too many people don’t recognize the need to protect DNS servers on top of their web servers or other networks.

"DNS servers have a very poor configuration, making them easy targets for spoofed sources resulting in large amplification attacks. ISPs that are dealing with these DNS amplification attacks need to consider the fact that the DNS servers are just a small part of their overall network. To ensure they’re properly protected, they need to invest in security measures that cover their networks as a whole, not just web or DNS servers. This is the only means to keep your data safe against traditional DDoS as well as the DNS and NTP amplification attacks, which we can all agree aren’t going anywhere anytime soon."

Home and small-business routers are a huge vulnerability, according to Tod Beardsley, engineering manager at Rapid7.

"We have published dozens of Metasploit modules that exercise dozens of vulnerabilities that range from traditional buffer overflows to default misconfigurations to vendor-installed back doors, and yet still, today, there is no normal, easy way to get updates for these things," says Beardsley. "Because of this total lack of patching, vulnerabilities of home access points are extremely long lived. Your computers and phones all have some kind of scheduled update service that's at least possible, but the router -- the thing that you're most reliant on for secure and performant web-surfing -- is totally lacking in this regard. It's very frustrating."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/8/2014 | 2:06:33 PM
Re: DNS Amplification
Thanks for checking with Nominum, Brian and also for the link on DNS amplification.
Bprince
50%
50%
Bprince,
User Rank: Ninja
4/8/2014 | 1:22:44 PM
DNS Amplification
Hello all. Thanks for the comments. As far as the routers, the DNS data Nominum looked at doesn't tell them anything about a particular brand of routers. Here is a good resource for information on DNS amplification from US-CERT: https://www.us-cert.gov/ncas/alerts/TA13-088A

Brian
scotty21
50%
50%
scotty21,
User Rank: Apprentice
4/8/2014 | 8:55:02 AM
Because home routers are not secured?
Is the article saying that home routers are vulnerable because they are not secured?  What is the vulnerability to mitigate?  Open networks at businesses or schools for that matter would need to be secured.  Good luck with that.  So I have answered my own question I believe.  The author has it right....because these networks will never be secured at the entry level, the DNS must be protected.  Good luck with that also when we give over ICANN.
PBURTON943
50%
50%
PBURTON943,
User Rank: Apprentice
4/7/2014 | 12:37:41 PM
Re: Which brands?
Good question.  For most, virtually all home users, the router is a "set it and forget it" device.  And exactly how do manufacturers notify their customers to update their firmware?  Facebook post? :)
PBURTON943
50%
50%
PBURTON943,
User Rank: Apprentice
4/7/2014 | 12:37:37 PM
Re: Which brands?
Good question.  For most, virtually all home users, the router is a "set it and forget it" device.  And exactly how do manufacturers notify their customers to update their firmware?  Facebook post? :)
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/7/2014 | 12:32:51 PM
Re: Which brands?
That a good question, Phil. Are these just older moderls, or have newer ones also been identified. 
philburton
100%
0%
philburton,
User Rank: Apprentice
4/4/2014 | 4:45:13 PM
Which brands?
24 million routers?  Which vendors or models?  Can someone configure a router to fix this vulnerability?

 

Phil
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.