Misconfigured, Open DNS Servers Used In Record-Breaking DDoS Attack

Biggest-ever distributed denial-of-service attack originally aimed at Spamhaus escalates and hits other corners of the Net

This was not your typical hacktivist DDoS attack: a massive, 300 gigabits-per-second traffic attack against volunteer spam filtering organization Spamhaus spread yesterday to multiple Internet exchanges and ultimately slowed traffic for users mainly in Europe.

Security experts say the attacks appear to be in retaliation for Spamhaus recently blacklisting CyberBunker--a notorious hosting provider based in The Netherlands that provides anonymous hosting--as a spam conduit. The attack, which as of this posting had subsided, at its peak today hit 300 Gbps, a massive leap from the previous record 100 Gbps-sized DDoS attacks seen only occasionally. While CyberBunker itself has not claimed responsibility for the attacks, a self-proclaimed Internet activist told the The New York Times today that CyberBunker executed the attacks against Spamhaus in protest of its overstepping by blacklisting the hosting service.

What is clear is that the attackers abused improperly configured or default-state DNS servers, also known as open DNS resolvers, in the attacks and this was not a standard botnet-borne attack. This allowed for a bigger bandwidth attack with fewer machines since DNS servers are large and run on high-speed Internet connections—a recipe that led to the record-breaking DDoS level. Security experts estimate that there are around 21 million of these servers running on the Net.

"It appears that virtually all the attack traffic was generated from DNS amplification. The attack traffic was sent from open DNS resolvers," says Matthew Prince, co-founder & CEO of CloudFlare, the service hired by Spamhaus to deflect the attacks, which began around March 18 and temporarily knocked Spamhaus offline. "We don't have good insight on what generated the requests to the DNS servers themselves. It could potentially have been bots, but it's more likely a small handful--maybe as few as a dozen--servers running on networks that allow source IP address spoofing."

Once CloudFlare began distributing the load of the attack across its data centers as part of its DDoS mitigation service, the attackers turned their sights on CloudFlare and targeted bandwidth providers used by the service, and ultimately, several regional Internet Exchanges CloudFlare connects to in Europe.

While not the first-ever commandeering of open DNS resolver servers, the size and scope of the attack has set a precedent for further abuse of these systems and even bigger, more damaging DDoS attacks, security experts say.

"It's not an Armageddon situation, but it is a new precedent," says Dan Holden, director of security research for Arbor Networks. "[DDoS] is continuing to mature. Even though we thought we knew what DDoS looked like, it continued to grow and expand" and copycats are likely, he says.

But security expert Dan Kaminsky says the bottom line here is that there are three problems that allow for this type of nefarious activity on the Internet: "We can't authenticate, we can't write secure code, and we can't bust the bad guys," he says.

"There are people in this world who think they have the God-given right to sell you Viagra, and anyone who gets in their way must be punished. But there are others of us who respectfully disagree," Kaminsky says.

Kaminsky concurs that this exceptionally big DDoS is no end-of-the Internet world moment, he says. "It's a DDoS attack, and a particularly large DDoS attack. What's unique is that we know who did it and they bragged louder than normal," he says. "We have a problem where apparently it's okay to just disrupt Internet access for a large number of people because somebody did something to you that you didn't like. I have a saying: 'if you can't do the time, do cybercrime.'"

Whether the bragging rights to the DDoS and the collateral damage and fallout across the Net will actually serve as a tipping point for law enforcement to take action against the alleged perpetrators is unclear. Kaminsky is skeptical that it will result in any big busts or legal action. "What's interesting here is we know exactly who did it and they're going to get away with it again. So they went over DNS. So what? This guy is bragging about it and we know who he is and he's going to get away with it, and there's something wrong with that," he says.

Law enforcement agencies reportedly are investigating the attacks—five national cyber police forces, according to the BBC. Neither Spamhaus nor CyberBunker had responded to press inquiries as of this posting.

[More than 80 percent of attacks against U.S. organizations come from U.S.-based IP addresses. See DDoS, Malware Attacks Cost Victims Thousands Of Dollars A Day.]

But the high-profile nature of the attack could help address the problem of weak DNS servers getting abused. "The 'good' news is because of the size of the attack and given the visibility it's going to receive, it should shed some light on the problem of DNS resolvers existing in the first place," Arbor's Holden says.

Properly configured DNS servers only accept traffic from their own IP space or in the case of ISPs, from their customers, Holden notes, whereas "open" DNS resolvers can take requests from anyone on the Internet. This makes it possible to send these servers DNS queries from a spoofed address, he says.

The attackers basically sent traffic purportedly from Spamhaus, so when the weak DNS servers returned their DNS resolver responses, they all bombarded Spamhaus.

Even so, it was a relatively benign attack given the potential damage this type of attack could potentially wreak, according to CloudFlare's Prince. "I do expect that this record for the largest attack won't be held long. The attack itself only used a fraction of the 21.7 million open resolvers running online. If someone were to launch an attack using more of them, it could dwarf this in size. And that may, literally, break the Internet," he says.

The attackers not only went after CloudFlare's direct peers, but the exchanges it connect with –the London Internet Exchange, the Amsterdam Internet Exchange, the Frankfurt Internet Exchange, and the Hong Kong Internet Exchange. The London Exchange was the hardest hit, according to CloudFlare.

"Once the attackers realized they couldn't knock CloudFlare itself offline even with more than 100Gbps of DDoS traffic, they went after our direct peers. In this case, they attacked the providers from whom CloudFlare buys bandwidth. We, primarily, contract with what are known as Tier 2 providers for CloudFlare's paid bandwidth. These companies peer with other providers and also buy bandwidth from so-called Tier 1 providers," Prince wrote in a blog post today. "Over the last few days, as these attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights