Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Nominum: 24 Million Home Routers Exposing ISPs to DDoS Attacks

Even Internet service providers that go to great lengths to protect their networks are vulnerable.

Tens of millions of home routers are exposing Internet service provider networks to DNS-based distributed denial-of-service (DDoS) attacks, according to new research from DNS software and security provider Nominum.

According to estimates from the company, more than 24 million home routers on the Internet have open DNS proxies that expose ISPs to DNS-based DDoS attacks. In February alone, more than 5.3 million of these routers were used to generate attack traffic, while in January, more than 70 percent of total DNS traffic on one provider's network was associated with DNS amplification.

In a DNS amplification attack, publically accessible open DNS servers are used to flood a system with DNS response traffic.

"The attacks are difficult to combat because there are still many places in the world where it is possible for attackers to spoof IP addresses," says Bruce van Nice, director of product marketing at Nominum. "Even providers who go to great lengths to protect their networks can be exposed, because not everyone is as diligent as they are. DNS is also a critical and universally used protocol, so network-based filters can be very unworkable due to the complexity they introduce.

(Image: Cyber Inz)
(Image: Cyber Inz)

"The last problem," he tells us, "is home routers are purchased and managed by consumers. Providers may have no control over them, so it is very difficult to change their configuration to remove problems such as this. The best way to address the problem is to make DNS servers smarter -- equip them with fine-grained capabilities to manage malicious traffic while ensuring legitimate traffic is always permitted."

DNS has emerged as one of the most popular protocols for launching amplification attacks, but it is not the only one. NTP amplification attacks are common as well. According to a report from Incapsula, now part of Imperva, the number of NTP amplification attacks jumped significantly during January and February. Still, DNS amplification represented nearly 35 percent of the large-scale events (+20 Gbit/s) covered in 2013 and early 2014.

"DNS attacks are nothing new; it’s one of the most common high-volume approaches, and it’s not surprising that they’re still growing in frequency," says Shawn Marck, chief security officer at Black Lotus. "We’re seeing a rise in DrDoS [distributed reflection denial-of-service] attacks, a strategy that frequently targets DNS daemons, and far too many people don’t recognize the need to protect DNS servers on top of their web servers or other networks.

"DNS servers have a very poor configuration, making them easy targets for spoofed sources resulting in large amplification attacks. ISPs that are dealing with these DNS amplification attacks need to consider the fact that the DNS servers are just a small part of their overall network. To ensure they’re properly protected, they need to invest in security measures that cover their networks as a whole, not just web or DNS servers. This is the only means to keep your data safe against traditional DDoS as well as the DNS and NTP amplification attacks, which we can all agree aren’t going anywhere anytime soon."

Home and small-business routers are a huge vulnerability, according to Tod Beardsley, engineering manager at Rapid7.

"We have published dozens of Metasploit modules that exercise dozens of vulnerabilities that range from traditional buffer overflows to default misconfigurations to vendor-installed back doors, and yet still, today, there is no normal, easy way to get updates for these things," says Beardsley. "Because of this total lack of patching, vulnerabilities of home access points are extremely long lived. Your computers and phones all have some kind of scheduled update service that's at least possible, but the router -- the thing that you're most reliant on for secure and performant web-surfing -- is totally lacking in this regard. It's very frustrating."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/8/2014 | 2:06:33 PM
Re: DNS Amplification
Thanks for checking with Nominum, Brian and also for the link on DNS amplification.
Bprince
50%
50%
Bprince,
User Rank: Ninja
4/8/2014 | 1:22:44 PM
DNS Amplification
Hello all. Thanks for the comments. As far as the routers, the DNS data Nominum looked at doesn't tell them anything about a particular brand of routers. Here is a good resource for information on DNS amplification from US-CERT: https://www.us-cert.gov/ncas/alerts/TA13-088A

Brian
scotty21
50%
50%
scotty21,
User Rank: Apprentice
4/8/2014 | 8:55:02 AM
Because home routers are not secured?
Is the article saying that home routers are vulnerable because they are not secured?  What is the vulnerability to mitigate?  Open networks at businesses or schools for that matter would need to be secured.  Good luck with that.  So I have answered my own question I believe.  The author has it right....because these networks will never be secured at the entry level, the DNS must be protected.  Good luck with that also when we give over ICANN.
PBURTON943
50%
50%
PBURTON943,
User Rank: Apprentice
4/7/2014 | 12:37:41 PM
Re: Which brands?
Good question.  For most, virtually all home users, the router is a "set it and forget it" device.  And exactly how do manufacturers notify their customers to update their firmware?  Facebook post? :)
PBURTON943
50%
50%
PBURTON943,
User Rank: Apprentice
4/7/2014 | 12:37:37 PM
Re: Which brands?
Good question.  For most, virtually all home users, the router is a "set it and forget it" device.  And exactly how do manufacturers notify their customers to update their firmware?  Facebook post? :)
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/7/2014 | 12:32:51 PM
Re: Which brands?
That a good question, Phil. Are these just older moderls, or have newer ones also been identified. 
philburton
100%
0%
philburton,
User Rank: Apprentice
4/4/2014 | 4:45:13 PM
Which brands?
24 million routers?  Which vendors or models?  Can someone configure a router to fix this vulnerability?

 

Phil
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...