Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/28/2013
02:54 PM
50%
50%

Spamhaus DDoS Attacks: What Business Should Learn

What should your company take away from this week's attacks? Lock down unsecured DNS repeaters being exploited by attackers and prep DDoS response plans.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Who are you going to call when DDoS attackers come gunning for you?

The distributed denial-of-service (DDoS) campaign aimed at anti-spam group Spamhaus over the past week, allegedly orchestrated by Stophaus.com, set the equivalent of a new land-speed record by reaching attack volumes that peaked at a whopping 300 Gbps.

Regardless of the mechanics of that attack -- or whether it triggered widespread Internet access slowdowns, which it didn't -- the anti-Spamhaus campaign should serve as fair warning that any business can be a target and thus needs to have a DDoS defense plan in place. "Despite the work that has gone into making the Internet extremely resilient, these attacks underscore the fact that there are still some aspects of it that are relatively fragile," said Andrew Storms, director of security operations for nCircle, via email.

Accordingly, every business should work with its service providers to understand how they handle unfolding DDoS attacks. Also, review your organization's dedicated DDoS mitigation services in case stronger measures are required. "Once an attack like this is underway, the countermeasures take place at the service provider level," noted Tim "TK" Keanini, chief research officer at nCircle. "That's why it's critical for every organization to understand their services providers' DDoS practices. You don't want to start asking about these practices when you have 300 Gbps of traffic knocking at your door."

[ Want to learn how Muslim hacktivists' attacks are gaining sophistication? See Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions. ]

Beyond crafting response plans, businesses must also lock down the infrastructure attackers use, experts say. In the case of the anti-Spamhaus campaign, attackers used domain name service (DNS) reflection attacks, which take advantage of "misconfigured DNS servers to amplify the power of a much smaller botnet," said Chester Wisniewski, a senior security adviser at Sophos Canada, in a blog post. According to the Open Resolver Project, 25 million open DNS resolvers hosted by service providers across the Internet currently are insecure or misconfigured, posing "a significant threat."

What can you do if you're a regular user of the Internet? Not much, Wisniewski said. But "don't panic," he said. "Your data is safe. You are simply being denied service or experiencing delays."

The message then for anyone who maintains Internet infrastructure is simple: Lock down your DNS repeaters. "If you are an administrator of DNS services, it is critical that you configure your recursive name servers to only reply to your own network," Wisniewski said. "If you must provide public DNS, be sure to apply filtering for abusive queries and ensure the frequency of queries is commensurate with your expected volumes."

CloudFlare has been publicly calling on businesses to lock down their open DNS resolvers to help stem DDoS amplification attacks, which can easily achieve 100 Gbps of throughput.

As of late 2012, CloudFlare reported seeing a single attack that used more than 68,000 DNS servers, while this week's anti-Spamhaus DDoS attacks used more than 30,000 unique DNS resolvers. "We're lucky they used only 30k DNS resolvers," said Eugene Kaspersky, CEO of Kaspersky Lab, on Twitter.

That's because, thanks to the use of DNS responders, attackers could punch well above their weight. "Because the attacker used a DNS amplification, the attacker only needed to control a botnet or cluster of servers to generate 750 Mbps -- which is possible with a small-sized botnet or a handful of AWS [Amazon Web Services] instances," said CloudFlare CEO Matthew Prince in a blog post. "Open DNS resolvers are the scourge of the Internet and these attacks will become more common and large until service providers take serious efforts to close them."

How do DNS amplification attacks work? "The attacks use DNS resolvers that haven't been properly secured in order to 'amplify' the resources of the attacker," according to Prince. "An attacker can achieve more than a 50x amplification, meaning that for every byte they are able to generate themselves they can pummel a victim with 50 bytes of garbage data."

The problem can be mitigated by correctly configuring DNS software such as BIND to restrict how it responds to queries. "Since DNS requests typically are sent over UDP, which, unlike TCP, does not require a handshake, an attacker can spoof a victim's IP address as the source address in a packet and a misconfigured DNS resolver will happily bombard the victim with responses," Prince said.

In February 2013, four months after launching a "name and shame campaign" to drive service providers to deal with the resolver problem, CloudFlare reported a 30% decrease in the number of open resolvers running on providers' networks. But with millions of DNS repeaters still publicly available, don't expect the DNS amplification attacks to abate anytime soon.

Got that DDoS attack response plan ready?

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
riyadzj
50%
50%
riyadzj,
User Rank: Apprentice
3/31/2013 | 8:00:04 AM
re: Spamhaus DDoS Attacks: What Business Should Learn
I agree that each organization should has its own DDoS protection strategy, but i think Service providers should build such strategy as well to protect their customers (Corporates or individuals), and here is the gap. So, why service providers are not working hard enough to stop DDoS attacks? Basically, because there is a business resulted from such attacks. SPs will make more profit by offering protection services against DDoS, so collaborate with others to remediate the root cause will eliminate that kind of profit.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27020
PUBLISHED: 2021-05-14
Password generator feature in Kaspersky Password Manager was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases. An attacker would need to know some additional information (for example, time of password generation).
CVE-2021-30183
PUBLISHED: 2021-05-14
Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import or export processes, the password used to encrypt and decrypt sensitive values would be written to the logs in plaintext.
CVE-2021-31922
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
CVE-2021-32051
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
CVE-2021-32615
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.