Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 PM
Dark Reading
Dark Reading
Products and Releases

Sharp rise in DNS-based DDoS last year signals larger, more frequent attacks in 2015

Malware in home gateways topples provider networks & websites; rapid growth of 'smart' devices adds to risk

Redwood City, Calif., February 5, 2015 - Nominum™, the leader in DNS and integrated applications for service providers that drive subscriber value, estimated a 100-fold growth of DNS-based DDoS attacks in 2014, with a clear trend of attacks increasing and intensifying in 2015. Malware in consumer home gateways fueled the rise, and the underlying exploit can be ported to ‘smart’ connected devices, so growth in the “Internet of Things” is expected to accelerate attacks.

Nominum’s Research team saw dramatic escalation in DNS-based DDoS attacks over the last year as shown in the graph below. Last year’s attacks grew exponentially, culminating in a DDoS attack in December 2014 with attack traffic estimated at more than double in size compared to the record-setting 500 gigabit per second attack publicized just a month before. The December surge driven by malware in home gateways allowed attackers to efficiently execute extremely intense attacks, and take down even well protected websites and networks. For example, 100 compromised devices toppled a 1 million subscriber network last year.

In the latest attacks, DDoS malware sent 10s of billions of specially crafted DNS queries to overwhelm ISP DNS resolvers, as well as the DNS servers that websites rely on to “advertise” their presence (called authoritative DNS servers). This flooding makes DNS unavailable, and websites and other Internet resources become unreachable. Traditional defenses deployed by Service Providers like purpose-built DDoS equipment or load balancers are ineffective against these attacks because they are often deployed in the wrong part of the network and lack sufficient automation and accuracy.

Attacks are expected to rise in 2015 for multiple reasons:

·         Little skill is required to launch an attack, and inexpensive services are readily available on the Internet.

·         DNS resolvers are everywhere, making them a vector of choice for DDoS attacks. Service Provider DNS servers are especially attractive to attackers because they’re high performance and always available.

·         Techniques for exploiting consumer devices like home routers have evolved significantly and other smart devices are confirmed to be vulnerable. Exposure is created with more than 100 million home gateways shipping each year, and the Internet of Things forecast to reach 50 billion connected devices in the next five years.

·         In 2014, Nominum Research reported 24 million home routers with open DNS proxies being used for DDoS. Although the numbers have shrunk, they still represent a large pool of devices that can be used for attacks.

“The recent shift to bot-based DNS DDoS dramatically changes the threat landscape and these attacks will likely grow worse as the number of connected devices increases,” said Craig Sprosts, vice president product management at Nominum. “These attacks are continuously changing and increasingly targeting legitimate domains, requiring rapid response and making simple domain or IP-based blocking approaches too risky to deploy in service provider networks.”

Today’s powerful attacks originating from compromised home gateways and other devices render traditional defenses such as anti-DDoS products and load balancers inadequate. Leveraging DNS data from around the world and a dedicated research team, Nominum Global Intelligence Xchange (GIX), tracks DNS threats and updates protections automatically worldwide in near real-time. Precision Policies in Nominum Vantio ThreatAvert protect legitimate DNS queries while discarding malicious ones, giving service providers highly accurate protection to ensure subscribers always reach their favorite websites and services.

Nominum’s Vantio CacheServe DNS powers Vantio ThreatAvert and the N2 suite of integrated applications that provide protection for subscribers and business opportunities for ISPs. Nominum’s N2 Engage protects subscribers from malware and inappropriate content. Once subscriber protection is rolled out, Nominum’s integrated N2 Reach communicates remediation options to each subscriber with highly effective in-browser notifications.

Information about Nominum’s solution, Vantio ThreatAvert, to address DNS-based DDoS attacks can be found at http://info.nominum.com/DNS-DDoS-Attack-Prevention.html


About Nominum

Nominum's N2 Platform is an integrated suite of applications for service providers that leverages the power of DNS to drive subscriber value. Nominum enables service providers to reduce operating costs, protect networks and subscribers from threats, provide innovative services that engage and retain subscribers, and deliver more effective customer care and marketing campaigns with in-browser messaging that reaches every subscriber, and insights that make cross-sell and upsell promotions more relevant.


Nominum is the DNS leader among service providers with deployments at nine of the top 10 service providers and in over 40 countries worldwide. Nominum is a global organization headquartered in Redwood City, California, USA. For more information, visit http://www.nominum.com.



Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
PUBLISHED: 2020-08-03
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839.
PUBLISHED: 2020-08-03
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.
PUBLISHED: 2020-08-03
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbi...