Vulnerabilities / Threats
3/28/2013
02:54 PM
50%
50%

Spamhaus DDoS Attacks: What Business Should Learn

What should your company take away from this week's attacks? Lock down unsecured DNS repeaters being exploited by attackers and prep DDoS response plans.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Who are you going to call when DDoS attackers come gunning for you?

The distributed denial-of-service (DDoS) campaign aimed at anti-spam group Spamhaus over the past week, allegedly orchestrated by Stophaus.com, set the equivalent of a new land-speed record by reaching attack volumes that peaked at a whopping 300 Gbps.

Regardless of the mechanics of that attack -- or whether it triggered widespread Internet access slowdowns, which it didn't -- the anti-Spamhaus campaign should serve as fair warning that any business can be a target and thus needs to have a DDoS defense plan in place. "Despite the work that has gone into making the Internet extremely resilient, these attacks underscore the fact that there are still some aspects of it that are relatively fragile," said Andrew Storms, director of security operations for nCircle, via email.

Accordingly, every business should work with its service providers to understand how they handle unfolding DDoS attacks. Also, review your organization's dedicated DDoS mitigation services in case stronger measures are required. "Once an attack like this is underway, the countermeasures take place at the service provider level," noted Tim "TK" Keanini, chief research officer at nCircle. "That's why it's critical for every organization to understand their services providers' DDoS practices. You don't want to start asking about these practices when you have 300 Gbps of traffic knocking at your door."

[ Want to learn how Muslim hacktivists' attacks are gaining sophistication? See Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions. ]

Beyond crafting response plans, businesses must also lock down the infrastructure attackers use, experts say. In the case of the anti-Spamhaus campaign, attackers used domain name service (DNS) reflection attacks, which take advantage of "misconfigured DNS servers to amplify the power of a much smaller botnet," said Chester Wisniewski, a senior security adviser at Sophos Canada, in a blog post. According to the Open Resolver Project, 25 million open DNS resolvers hosted by service providers across the Internet currently are insecure or misconfigured, posing "a significant threat."

What can you do if you're a regular user of the Internet? Not much, Wisniewski said. But "don't panic," he said. "Your data is safe. You are simply being denied service or experiencing delays."

The message then for anyone who maintains Internet infrastructure is simple: Lock down your DNS repeaters. "If you are an administrator of DNS services, it is critical that you configure your recursive name servers to only reply to your own network," Wisniewski said. "If you must provide public DNS, be sure to apply filtering for abusive queries and ensure the frequency of queries is commensurate with your expected volumes."

CloudFlare has been publicly calling on businesses to lock down their open DNS resolvers to help stem DDoS amplification attacks, which can easily achieve 100 Gbps of throughput.

As of late 2012, CloudFlare reported seeing a single attack that used more than 68,000 DNS servers, while this week's anti-Spamhaus DDoS attacks used more than 30,000 unique DNS resolvers. "We're lucky they used only 30k DNS resolvers," said Eugene Kaspersky, CEO of Kaspersky Lab, on Twitter.

That's because, thanks to the use of DNS responders, attackers could punch well above their weight. "Because the attacker used a DNS amplification, the attacker only needed to control a botnet or cluster of servers to generate 750 Mbps -- which is possible with a small-sized botnet or a handful of AWS [Amazon Web Services] instances," said CloudFlare CEO Matthew Prince in a blog post. "Open DNS resolvers are the scourge of the Internet and these attacks will become more common and large until service providers take serious efforts to close them."

How do DNS amplification attacks work? "The attacks use DNS resolvers that haven't been properly secured in order to 'amplify' the resources of the attacker," according to Prince. "An attacker can achieve more than a 50x amplification, meaning that for every byte they are able to generate themselves they can pummel a victim with 50 bytes of garbage data."

The problem can be mitigated by correctly configuring DNS software such as BIND to restrict how it responds to queries. "Since DNS requests typically are sent over UDP, which, unlike TCP, does not require a handshake, an attacker can spoof a victim's IP address as the source address in a packet and a misconfigured DNS resolver will happily bombard the victim with responses," Prince said.

In February 2013, four months after launching a "name and shame campaign" to drive service providers to deal with the resolver problem, CloudFlare reported a 30% decrease in the number of open resolvers running on providers' networks. But with millions of DNS repeaters still publicly available, don't expect the DNS amplification attacks to abate anytime soon.

Got that DDoS attack response plan ready?

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
riyadzj
50%
50%
riyadzj,
User Rank: Apprentice
3/31/2013 | 8:00:04 AM
re: Spamhaus DDoS Attacks: What Business Should Learn
I agree that each organization should has its own DDoS protection strategy, but i think Service providers should build such strategy as well to protect their customers (Corporates or individuals), and here is the gap. So, why service providers are not working hard enough to stop DDoS attacks? Basically, because there is a business resulted from such attacks. SPs will make more profit by offering protection services against DDoS, so collaborate with others to remediate the root cause will eliminate that kind of profit.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I've seen worse.  Last week Tim had a dragon."
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.