The Emergence of DDoS-as-a-Service

As if the current frequency of DDoS attacks is not enough, we’re now confronted with an emergence of "legitimized" attacks: DDoS-as-a-service (DDoSAAS).

Service? In recent articles, respected security blogger Brian Krebs exposes the advent of DDoS legitimization and interviews players in this questionable industry. What Brian learned is that these services are really straightforward: A DDoS service operator launches an attack of your choice against your target, for however long you specify.

For the ultimate in convenience, the operators often accept PayPal. Are such services widely in use? Brian’s investigations revealed that one operator alone appears accountable for over 10,000 attacks in a single week. Are they legal? The operators of the service, and their attorneys, claim that they are, or claim that they aren’t responsible for how their customers use the services they offer. For the moment, legal or not, we all must contend with DDoSAAS.

Open recursion is a key attack component
Analysis by security experts suggests that DDoS amplification (reflection) is the attack method of choice for many DDoSAAS operators. This form of DDoS attack relies on DNS resolvers that accept DNS queries from any source (recursion is thus open to all hosts). The attacks also originate from spoofed IP addresses (which you could mitigate at your datacenter firewalls by filtering source addresses if your ISP has not implemented BCP 38).

If these characteristics sound familiar, it’s because the numbers of open resolvers and networks that forward traffic from spoofed sources remains unacceptably high. The Open Resolver Project recently identified over 27 million resolvers that appear open. The daily surveys at the Measurement Factory suggest that the number is growing.

Mitigate open recursion to reduce attack infrastructure
DDoS attackers, legit or not, need infrastructure to launch attacks. We can make legitimized DDoS service less attractive if we raise the cost of doing business. This begins by taking away the open resolver infrastructure that they exploit at no cost. Mitigating open recursion, however, is inherently a community initiative: it’s not about your networks or datacenter being a target but about your recursive resolvers being enablers. The irony of legitimizing DDoS service, however, is that it shifts every organization’s motivation to reduce open recursion from selfless act to preventative measure.

Begin by referring to a public resources or explanations of how to test whether or not your resolvers are open recursive. Thinkbroadband, Measurement Factory, and VerisignLabs provide online checking tools. Measurement Factory also explains how you can do checks using command line commands dig (Linux, BSD) or nslookup (DOS).

The basis for many techniques for mitigating the threat that open recursion poses is published as an IETF Best Common Practice (BCP 140). The recommendations essentially advise that you implement access controls (ACLs) to provide name resolution only to clients you intend to serve. To disallow open recursion or to limit recursion, look at recommended configurations specific to your name server software.

As an example, Internet Systems Consortium, Inc. (ISC), the folks who develop and maintain the BIND DNS software run on many recursive resolvers discourage open recursion without an accompanying implementation of abuse mitigation or countermeasures. Consult the default configuration for BIND 9.4.1 and beyond: these versions only allow recursion for local hosts and networks. ISC recommends that you “create ACLs that match hosts that should be allowed access to cache and recursion on the servers.” You may want to consult Team Cymru’s Secure BIND Template as well.

Similar configuration resources exist for Windows Server 2003 and 2008/2012 and for Unbound as well. Other sources you may find useful are Sysadmins of the North and Cisco Systems’ DNS Best-Practices page.

Let me leave you with this final point: So-called legitimized services raise the DDoS threat level. However, on the positive side, they also help lend credence to the notion that information security is as much about corporate health or wellness as it is self-defense.