Director of Security Strategy
Most people are familiar with common tactics hackers use to target their prey – sending malicious links or attachments that necessitate the victim to click or download something, thus installing malware or Trojans on the targeted computer and gaining a foothold into the victim’s network.
However, attacks that happen on the backend are much more mysterious. Online criminals have long attacked computers connected to the Internet by overwhelming their targets with more traffic than their infrastructure can possibly handle, often by leveraging the asymmetric power of a botnet. The scale of these bandwidth-hogging attacks has continued to grow over the years, and the techniques used to launch them keeps evolving. Yet, many IT professionals still overlook this class of attack, and aren’t sure how to prevent it.
Defining DDoS Attacks
Attacks that overwhelm network services with huge amounts of traffic are known as distributed denial of service (DDoS) attacks, and cyber criminals often use them to bring down websites, network services, and company networks.
DDoS attacks are distinctly different from their namesake – the denial of service (DoS) attack. Generally, a DoS attack is one that is designed to disrupt a computer, program, or network service. A “Plain Jane” DoS attack relies on some sort of underlying technical weakness or vulnerability in the system being attacked. For instance, perhaps a particular brand of file server doesn’t handle certain malformed network requests properly. If an attacker sends such a request to the server, it crashes and visitors can’t download their files. They are denied service.
From an attacker’s perspective, DoS attacks are easy to exploit. The bad guy just needs to know the right network traffic to send, or sequence of events to trigger. DoS attacks don’t take a lot of resources or overwhelming force to achieve. However, they also have an Achilles heel: IT pros can easily defend against them. Since DoS attacks depend on some sort of specific software weakness, once the weakness is fixed, attackers are out of luck. Furthermore, security vendors can create signatures that identify the specific traffic used to trigger DoS flaws, and easily block any attacker who sends that traffic.
DDoS attacks, on the other hand, are much harder to defend against. Unlike DoS attacks, a DDoS attack does not rely on any underlying vulnerability or weakness in the system being attacked. Rather, it relies on overwhelming force. The concept is simple. Network servers—even the huge, load-balanced, clustered ones running at big organizations—can only handle a finite amount of network traffic. If more network traffic is generated than a server can handle, and that traffic appears to be from many different sources across different geographies, the server can be overwhelmed. Attackers don’t even have to use specially crafted traffic, either. Legitimate traffic is better since the victim won’t be able to tell the attack apart from normal customer requests. The server is overwhelmed by pure brute force, and since the attack seems to comes from hundreds or even thousands of sources, it’s extremely difficult to block or stop.
How Can DDoS Attackers Generate That Much Traffic?
The concept behind DDoS attacks is simple. However, the challenge lies in how to trigger huge deluges of legitimate network traffic from many sources. A single computer alone can’t generate near the amount of bandwidth necessary to take out even an average network server, and traffic from a single source is easily blocked. So how do attackers get the power necessary to generate a ton of network traffic from distributed sources? Essentially, there are two ways this can be accomplished:
- Botnets – Botnets are networks of compromised victim computers. By using basic infection tactics (like those at the beginning of this article), attackers infect thousands, and in some case millions, of victim computers. Once in their control, the attacker can harness the power of all these computers for their DDoS attack. It can take some time to harvest enough victims to perform a big DDoS attack, but experts have seen botnet-based DDoS attacks grow in scope, some generating 20 to 70 Gbps of attack traffic.
- Amplification attacks – Really, attackers only need two things to generate a large amount of network that seems to come from multiple hosts; the ability to spoof traffic (make it appear to come from someone else) and access to a mechanism or service that returns a large reply to a small request. If they can find those two things, they can turn a meager amount of spoofed traffic into a huge amount of replies destined to their intended victim. This is called an amplification attack.
Open DNS: The Key to DDoS Amplification
The recent DDoS attack against a company called Spamhaus, a European-based spam-prevention service, brought the issue of DDoS amplification into the network security limelight. In this particular instance, attackers employed what’s known as a DNS amplification attack to generate huge amounts of malicious traffic against Spamhaus—more network traffic than the organization was equipped to handle. In fact, by taking advantage of the nature of DNS, the Spamhaus attack set a new record, peaking at 300 gigabits per second, or roughly six times larger than the DDoS attacks Wells Fargo & Co. experienced on March 23.
The domain name system (DNS) is basically the phone book of the Internet. When you visit a web site by its domain name, your computer quietly uses DNS to look up the real Internet address associated with that name. Remember how amplification attacks require two things: the ability to spoof and really big replies? The DNS protocol provides both those things.
DNS uses something called the UDP protocol for its communication. UDP is a connectionless protocol in that a computer doesn’t have to verify the source of a communication before accepting and responding to it. That means attacks can easily spoof DNS requests, making them appear to come from someone else. DNS servers also can send some pretty big replies. There are situations where small requests (maybe 60Kb) can be sent that result in quite large replies (4000Kb or more). Combined, attackers can send small requests that generate big replies back to their spoofed victim.
In the Spamhaus case, attackers likely leveraged both a botnet and DNS amplification to break the DDoS record. An attack computer sent hundreds of small, spoofed DNS requests to various open DNS servers on the Internet, which pretended to come from Spamhaus’ network. The DNS server amplified those requests tenfold by sending much larger replies back to Spamhaus. The attackers further magnified this attack by making all the computers in a botnet do the same thing. When the raw power of a big bot network and the magnification of DNS amplification are combined, the result is way too much network traffic.
The keys to this equation are the open DNS servers on the Internet, also called open DNS resolvers. Although DNS is like the phonebook of the Internet, it’s a phonebook that organizations should mostly keep to themselves. At a high level, there are essentially two types of DNS services a business might have:
- Recursive DNS server – A recursive DNS server is intended to supply domain lookups to all your employees. It should be able to reply to queries about all sites on the Internet, but it should only reply to people within your organization by identifying their source address.
- Authoritative DNS server – An authoritative DNS server is essentially one that tells the rest of the world about your company or organization’s domain. However, the authoritative DNS server should only respond to queries about your company’s domain, not about all domains on the Internet.
A DNS server that openly replies to anyone’s request about any site on the Internet is an open DNS resolver. In DNS amplification attacks, like the one Spamhaus experienced, the attackers take advantage of these open recursive DNS servers to provide their attack magnification. While businesses do need recursive DNS servers for their employees, they should not open these servers to requests from anyone on the Internet, as this leaves the network susceptible to large-scale DDoS attacks.
There are rumors that a DDoS attack, if significant enough, could potentially bring down the Internet itself. So far, evidence shows that these attacks have only caused online traffic jams, rather than a full-fledged virtual meltdown. Internet traffic passing through an area impacted by a DDoS attack can back up and clog the network, just as a traffic jam would do on a freeway. For the health of the Internet, it is important for businesses to understand these DDoS attacks and how to prevent them.
DDoS Protection is a Community Effort
As scary and complex as these huge DDoS attacks might sound, it isn’t too difficult to prevent cyber attackers from misusing DNS servers. There are two things that can prevent DNS amplification attacks, the only problem is the entire Internet community must do these together for them to succeed.
The first step is to close unnecessary open DNS resolvers. According to the Open Resolver Project, there are currently approximately 27 million open DNS resolvers in the world. If the organizations that manage these open resolvers would restrict them to only respond to internal queries, it would make it much more difficult for DDoS attackers to use those DNS server against victims on the Internet.
It isn’t difficult to secure and harden DNS servers. If DNS administrators restricted recursive DNS queries to their internal networks, it would do a lot to prevent attackers from easily leveraging them in amplifications attacks. This is more of an awareness issue than a technical one.
The second, and perhaps more important, step is to prevent spoofing on the Internet. There’s almost no reason someone in a network should be able to send traffic that looks like it comes from someone else. Firewalls, unified threat management appliances, routers, and other network gateway devices are almost always able to detect internal spoofing by recognizing when an internal address sends traffic that appears to be from a different network. If everyone on the Internet—especially service providers—would use this feature to block spoofing at the network level, then attackers would not be able to launch these types of attacks. In fact, and the Internet Engineering Task Force (IETF) has long had a document addressing the issue called Best Current Practices (BCP) 38. If all network administrators followed these practices, the recent Spamhaus attack would not have been as big.
In short, if the Internet comes together as a community to close open resolvers and block spoofing at the network and Internet Exchange level, then many of the largest DDoS attacks can be mitigated. Those who don’t secure their own DNS resolvers are keeping others at risk, and therein lays the problem. If you run an open DNS resolver or a network gateway device, follow the best practices outlined above to make it harder for the bad guys to misuse servers and make the Internet a safer place for businesses and consumers alike.
Director of Security Strategy
Corey Nachreiner, CISSP and Director of Security Strategy for WatchGuard is an expert on this emerging form of DDoS attack and can explain what businesses need to do to protect themselves.
Most companies don’t realize that simple misconfigurations of their DNS servers are at the heart of this vulnerability, making it easy for attackers to take advantage. It is estimated that there are at least 27 million of these badly-configured servers which are vulnerable to this kind of attack. With some simple fixes, the internet would be a much safer place.