Printer Friendly

DNS based DDOS attacks: what's in a name.

Recent press has shown a marked increase in DDoS attacks on ISPs around the world. It seems DDoS attackers have switched their attention from banks to gaming hosts, ISPs and even enterprises. At Infoblox our customers have been telling us the same thing, as DDoS attacks have intensified among our ISP customers. Initially everything was lumped together under the DDoS heading. Then they became known as "NXDomain" attacks, but as we sifted through the PCAP files of the actual attacks across different customers in different regions, a number of unique patterns emerged. ISPs are especially sensitive about DDoS attacks. Not only are these attacks extremely disruptive to the business, they consume time and effort to understand and mitigate, but they can also affect the ISP's brand reputation if attacks continue and degrade the user experience. Let's take a look at six new attack types and how each one works: Basic NXDomain attack The attacker sends a flood of queries to a DNS server to resolve a non-existent domain (NXDomain). The recursive server tries to locate this non-existent domain by carrying out multiple domain name queries but does not find it. In the process, its cache is filled up with NXDomain results. When the DNS caching server's cache is full, users experience slower DNS server response time for legitimate DNS requests. The DNS server also spends valuable resources as it keeps trying to repeat the recursive query to get a resolution result. Random Sub-domain attacks The attacker tries to exhaust the number of outstanding concurrent DNS queries by flooding the DNS server with requests for multiple non-existent domains, that he or she creates using randomly generated domain strings. For example: or etc. The responses never come back from these non-existing domains and the DNS server, as before, spends compute resources waiting for the responses. The attacker thinks he is attacking the domain but he is in fact impacting the infrastructure of his ISP. Phantom domain attacks In these attacks, the DNS resolver is forced to resolve multiple domains that are "Phantom" domains that have been setup as part of the attack. These domains do not send responses, causing the server to consume resources while waiting for responses, eventually leading to degraded performance or failure. Lock-up domain attacks Resolvers and domains are setup by attackers to establish TCP-based connections with DNS resolvers that request a response. These domains don't send the correct response expected by the DNS resolver but instead keep them engaged with random packets. Advanced attacks also involve adaptive techniques to keep the DNS resolver "coming back" to check for responses. These domains might send a SERVFAIL at the end. CPE-driven DDoS attacks A significant proportion of the open DNS recursors utilised for DNS reflection or amplification attacks are customer premise equipment (CPE)devices. Some devices ship with a local, caching-only DNS server or DNS proxies open to the world. Users enable port-forwarding to open DNS recursors on their home networks. DDoS attacks using Malware Akamai's Prolexic Security Engineering and Research Team is tracking the spread of "Spike", a new malware toolkit that poses a threat to embedded devices, as well as Linux and Windows systems. The malware-infected CPE devices effectively form a new botnet, enabling the botnet controller to generate DDoS traffic on demand against selected targets. While no single mitigation approach is bullet proof and the vendor community is working hard to help customers as much as possible, it is clear that the latest spate of DDoS attacks is targeting DNS as a key vulnerability. We are working with our ISP customers and their enterprise customers to help them protect their DNS infrastructure.

2015 ITP Business Publishing Ltd. All Rights Reserved. Provided by SyndiGate Media Inc. ( ).
COPYRIGHT 2015 SyndiGate Media Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2015 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Date:Jun 22, 2015
Previous Article:Oracle CMO Judith Sim joins Fortinet board of directors.
Next Article:Twelve UAE banks hit by Dyre Trojan.

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters