Vulnerabilities / Threats
3/28/2013
02:54 PM
Connect Directly
RSS
E-Mail
50%
50%

Spamhaus DDoS Attacks: What Business Should Learn

What should your company take away from this week's attacks? Lock down unsecured DNS repeaters being exploited by attackers and prep DDoS response plans.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Who are you going to call when DDoS attackers come gunning for you?

The distributed denial-of-service (DDoS) campaign aimed at anti-spam group Spamhaus over the past week, allegedly orchestrated by Stophaus.com, set the equivalent of a new land-speed record by reaching attack volumes that peaked at a whopping 300 Gbps.

Regardless of the mechanics of that attack -- or whether it triggered widespread Internet access slowdowns, which it didn't -- the anti-Spamhaus campaign should serve as fair warning that any business can be a target and thus needs to have a DDoS defense plan in place. "Despite the work that has gone into making the Internet extremely resilient, these attacks underscore the fact that there are still some aspects of it that are relatively fragile," said Andrew Storms, director of security operations for nCircle, via email.

Accordingly, every business should work with its service providers to understand how they handle unfolding DDoS attacks. Also, review your organization's dedicated DDoS mitigation services in case stronger measures are required. "Once an attack like this is underway, the countermeasures take place at the service provider level," noted Tim "TK" Keanini, chief research officer at nCircle. "That's why it's critical for every organization to understand their services providers' DDoS practices. You don't want to start asking about these practices when you have 300 Gbps of traffic knocking at your door."

[ Want to learn how Muslim hacktivists' attacks are gaining sophistication? See Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions. ]

Beyond crafting response plans, businesses must also lock down the infrastructure attackers use, experts say. In the case of the anti-Spamhaus campaign, attackers used domain name service (DNS) reflection attacks, which take advantage of "misconfigured DNS servers to amplify the power of a much smaller botnet," said Chester Wisniewski, a senior security adviser at Sophos Canada, in a blog post. According to the Open Resolver Project, 25 million open DNS resolvers hosted by service providers across the Internet currently are insecure or misconfigured, posing "a significant threat."

What can you do if you're a regular user of the Internet? Not much, Wisniewski said. But "don't panic," he said. "Your data is safe. You are simply being denied service or experiencing delays."

The message then for anyone who maintains Internet infrastructure is simple: Lock down your DNS repeaters. "If you are an administrator of DNS services, it is critical that you configure your recursive name servers to only reply to your own network," Wisniewski said. "If you must provide public DNS, be sure to apply filtering for abusive queries and ensure the frequency of queries is commensurate with your expected volumes."

CloudFlare has been publicly calling on businesses to lock down their open DNS resolvers to help stem DDoS amplification attacks, which can easily achieve 100 Gbps of throughput.

As of late 2012, CloudFlare reported seeing a single attack that used more than 68,000 DNS servers, while this week's anti-Spamhaus DDoS attacks used more than 30,000 unique DNS resolvers. "We're lucky they used only 30k DNS resolvers," said Eugene Kaspersky, CEO of Kaspersky Lab, on Twitter.

That's because, thanks to the use of DNS responders, attackers could punch well above their weight. "Because the attacker used a DNS amplification, the attacker only needed to control a botnet or cluster of servers to generate 750 Mbps -- which is possible with a small-sized botnet or a handful of AWS [Amazon Web Services] instances," said CloudFlare CEO Matthew Prince in a blog post. "Open DNS resolvers are the scourge of the Internet and these attacks will become more common and large until service providers take serious efforts to close them."

How do DNS amplification attacks work? "The attacks use DNS resolvers that haven't been properly secured in order to 'amplify' the resources of the attacker," according to Prince. "An attacker can achieve more than a 50x amplification, meaning that for every byte they are able to generate themselves they can pummel a victim with 50 bytes of garbage data."

The problem can be mitigated by correctly configuring DNS software such as BIND to restrict how it responds to queries. "Since DNS requests typically are sent over UDP, which, unlike TCP, does not require a handshake, an attacker can spoof a victim's IP address as the source address in a packet and a misconfigured DNS resolver will happily bombard the victim with responses," Prince said.

In February 2013, four months after launching a "name and shame campaign" to drive service providers to deal with the resolver problem, CloudFlare reported a 30% decrease in the number of open resolvers running on providers' networks. But with millions of DNS repeaters still publicly available, don't expect the DNS amplification attacks to abate anytime soon.

Got that DDoS attack response plan ready?

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
riyadzj
50%
50%
riyadzj,
User Rank: Apprentice
3/31/2013 | 8:00:04 AM
re: Spamhaus DDoS Attacks: What Business Should Learn
I agree that each organization should has its own DDoS protection strategy, but i think Service providers should build such strategy as well to protect their customers (Corporates or individuals), and here is the gap. So, why service providers are not working hard enough to stop DDoS attacks? Basically, because there is a business resulted from such attacks. SPs will make more profit by offering protection services against DDoS, so collaborate with others to remediate the root cause will eliminate that kind of profit.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

Best of the Web
Dark Reading Radio