Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/28/2013
02:54 PM
50%
50%

Spamhaus DDoS Attacks: What Business Should Learn

What should your company take away from this week's attacks? Lock down unsecured DNS repeaters being exploited by attackers and prep DDoS response plans.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Who are you going to call when DDoS attackers come gunning for you?

The distributed denial-of-service (DDoS) campaign aimed at anti-spam group Spamhaus over the past week, allegedly orchestrated by Stophaus.com, set the equivalent of a new land-speed record by reaching attack volumes that peaked at a whopping 300 Gbps.

Regardless of the mechanics of that attack -- or whether it triggered widespread Internet access slowdowns, which it didn't -- the anti-Spamhaus campaign should serve as fair warning that any business can be a target and thus needs to have a DDoS defense plan in place. "Despite the work that has gone into making the Internet extremely resilient, these attacks underscore the fact that there are still some aspects of it that are relatively fragile," said Andrew Storms, director of security operations for nCircle, via email.

Accordingly, every business should work with its service providers to understand how they handle unfolding DDoS attacks. Also, review your organization's dedicated DDoS mitigation services in case stronger measures are required. "Once an attack like this is underway, the countermeasures take place at the service provider level," noted Tim "TK" Keanini, chief research officer at nCircle. "That's why it's critical for every organization to understand their services providers' DDoS practices. You don't want to start asking about these practices when you have 300 Gbps of traffic knocking at your door."

[ Want to learn how Muslim hacktivists' attacks are gaining sophistication? See Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions. ]

Beyond crafting response plans, businesses must also lock down the infrastructure attackers use, experts say. In the case of the anti-Spamhaus campaign, attackers used domain name service (DNS) reflection attacks, which take advantage of "misconfigured DNS servers to amplify the power of a much smaller botnet," said Chester Wisniewski, a senior security adviser at Sophos Canada, in a blog post. According to the Open Resolver Project, 25 million open DNS resolvers hosted by service providers across the Internet currently are insecure or misconfigured, posing "a significant threat."

What can you do if you're a regular user of the Internet? Not much, Wisniewski said. But "don't panic," he said. "Your data is safe. You are simply being denied service or experiencing delays."

The message then for anyone who maintains Internet infrastructure is simple: Lock down your DNS repeaters. "If you are an administrator of DNS services, it is critical that you configure your recursive name servers to only reply to your own network," Wisniewski said. "If you must provide public DNS, be sure to apply filtering for abusive queries and ensure the frequency of queries is commensurate with your expected volumes."

CloudFlare has been publicly calling on businesses to lock down their open DNS resolvers to help stem DDoS amplification attacks, which can easily achieve 100 Gbps of throughput.

As of late 2012, CloudFlare reported seeing a single attack that used more than 68,000 DNS servers, while this week's anti-Spamhaus DDoS attacks used more than 30,000 unique DNS resolvers. "We're lucky they used only 30k DNS resolvers," said Eugene Kaspersky, CEO of Kaspersky Lab, on Twitter.

That's because, thanks to the use of DNS responders, attackers could punch well above their weight. "Because the attacker used a DNS amplification, the attacker only needed to control a botnet or cluster of servers to generate 750 Mbps -- which is possible with a small-sized botnet or a handful of AWS [Amazon Web Services] instances," said CloudFlare CEO Matthew Prince in a blog post. "Open DNS resolvers are the scourge of the Internet and these attacks will become more common and large until service providers take serious efforts to close them."

How do DNS amplification attacks work? "The attacks use DNS resolvers that haven't been properly secured in order to 'amplify' the resources of the attacker," according to Prince. "An attacker can achieve more than a 50x amplification, meaning that for every byte they are able to generate themselves they can pummel a victim with 50 bytes of garbage data."

The problem can be mitigated by correctly configuring DNS software such as BIND to restrict how it responds to queries. "Since DNS requests typically are sent over UDP, which, unlike TCP, does not require a handshake, an attacker can spoof a victim's IP address as the source address in a packet and a misconfigured DNS resolver will happily bombard the victim with responses," Prince said.

In February 2013, four months after launching a "name and shame campaign" to drive service providers to deal with the resolver problem, CloudFlare reported a 30% decrease in the number of open resolvers running on providers' networks. But with millions of DNS repeaters still publicly available, don't expect the DNS amplification attacks to abate anytime soon.

Got that DDoS attack response plan ready?

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
riyadzj
50%
50%
riyadzj,
User Rank: Apprentice
3/31/2013 | 8:00:04 AM
re: Spamhaus DDoS Attacks: What Business Should Learn
I agree that each organization should has its own DDoS protection strategy, but i think Service providers should build such strategy as well to protect their customers (Corporates or individuals), and here is the gap. So, why service providers are not working hard enough to stop DDoS attacks? Basically, because there is a business resulted from such attacks. SPs will make more profit by offering protection services against DDoS, so collaborate with others to remediate the root cause will eliminate that kind of profit.
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.