Nominum: 24 Million Home Routers Exposing ISPs to DDoS Attacks

Even Internet service providers that go to great lengths to protect their networks are vulnerable.

Brian Prince, Contributing Writer, Dark Reading

April 4, 2014

3 Min Read
(Image: Cyber Inz)

Tens of millions of home routers are exposing Internet service provider networks to DNS-based distributed denial-of-service (DDoS) attacks, according to new research from DNS software and security provider Nominum.

According to estimates from the company, more than 24 million home routers on the Internet have open DNS proxies that expose ISPs to DNS-based DDoS attacks. In February alone, more than 5.3 million of these routers were used to generate attack traffic, while in January, more than 70 percent of total DNS traffic on one provider's network was associated with DNS amplification.

In a DNS amplification attack, publically accessible open DNS servers are used to flood a system with DNS response traffic.

"The attacks are difficult to combat because there are still many places in the world where it is possible for attackers to spoof IP addresses," says Bruce van Nice, director of product marketing at Nominum. "Even providers who go to great lengths to protect their networks can be exposed, because not everyone is as diligent as they are. DNS is also a critical and universally used protocol, so network-based filters can be very unworkable due to the complexity they introduce.

"The last problem," he tells us, "is home routers are purchased and managed by consumers. Providers may have no control over them, so it is very difficult to change their configuration to remove problems such as this. The best way to address the problem is to make DNS servers smarter -- equip them with fine-grained capabilities to manage malicious traffic while ensuring legitimate traffic is always permitted."

DNS has emerged as one of the most popular protocols for launching amplification attacks, but it is not the only one. NTP amplification attacks are common as well. According to a report from Incapsula, now part of Imperva, the number of NTP amplification attacks jumped significantly during January and February. Still, DNS amplification represented nearly 35 percent of the large-scale events (+20 Gbit/s) covered in 2013 and early 2014.

"DNS attacks are nothing new; it’s one of the most common high-volume approaches, and it’s not surprising that they’re still growing in frequency," says Shawn Marck, chief security officer at Black Lotus. "We’re seeing a rise in DrDoS [distributed reflection denial-of-service] attacks, a strategy that frequently targets DNS daemons, and far too many people don’t recognize the need to protect DNS servers on top of their web servers or other networks.

"DNS servers have a very poor configuration, making them easy targets for spoofed sources resulting in large amplification attacks. ISPs that are dealing with these DNS amplification attacks need to consider the fact that the DNS servers are just a small part of their overall network. To ensure they’re properly protected, they need to invest in security measures that cover their networks as a whole, not just web or DNS servers. This is the only means to keep your data safe against traditional DDoS as well as the DNS and NTP amplification attacks, which we can all agree aren’t going anywhere anytime soon."

Home and small-business routers are a huge vulnerability, according to Tod Beardsley, engineering manager at Rapid7.

"We have published dozens of Metasploit modules that exercise dozens of vulnerabilities that range from traditional buffer overflows to default misconfigurations to vendor-installed back doors, and yet still, today, there is no normal, easy way to get updates for these things," says Beardsley. "Because of this total lack of patching, vulnerabilities of home access points are extremely long lived. Your computers and phones all have some kind of scheduled update service that's at least possible, but the router -- the thing that you're most reliant on for secure and performant web-surfing -- is totally lacking in this regard. It's very frustrating."

About the Author(s)

Brian Prince

Contributing Writer, Dark Reading

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a news reporter for the Asbury Park Press, and reported on everything from environmental issues to politics. He has a B.A. in journalism from American University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights