AT&T Tech Support 360
March 24, 2006 4:00 AM PST
DNS servers do hackers' dirty work
- Related Stories
-
New denial-of-service threat emerges
March 16, 2006 -
Skype could provide botnet controls
January 25, 2006 -
Good security news to be in short supply in 2006
January 20, 2006 -
Blackmailers try to black out Million Dollar Homepage
January 18, 2006 -
Bots slim down to get tough
November 16, 2005 -
Kevin Mitnick on hacking's evolution
November 4, 2005 -
Old software weakening Net's backbone, survey says
October 25, 2005 -
The sorry state of the domain name game
October 4, 2005 -
Weak links in the Net's armor
August 3, 2005 -
Hacking for dollars
July 6, 2005 -
VeriSign to put more backbone into the Net
May 19, 2005 -
Report: Crooks behind more Net attacks
November 16, 2004 -
Blackout hits major Web sites
June 15, 2004 -
Jerry Garcia's guitars up for auction
May 6, 2002
Earlier this year, VeriSign experienced attacks on its systems that were larger than anything it had ever seen before, it said last week. The Mountain View, Calif.-based company, which helps companies do business on the Web, discovered that the assaults weren't coming from commandeered "bot" computers, as is common. Instead, its machines were under attack by DNS (domain name system) servers.
"DNS is now a major vector for DDOS," Dan Kaminsky, a security researcher said, referring to distributed denial-of-service attacks. "The bar has been lowered. People with fewer resources can now launch potentially crippling attacks."
Just as in any DDOS attack, the target system--which could be a victim's Web server, name server or mail server--is inundated with a multitude of data coming from multiple systems on the Internet. The goal is to make the target unreachable online by flooding the data connection or by crashing it as it tries to handle the incoming data.
Such attacks were once the tool of bored teenagers who got a kick out of seeing Web sites crumble. But these days, DDOS attacks are sometimes used by criminals looking to extort money from online businesses--especially those on the margins, such as gambling sites and the adult-entertainment industry.
"We're past the era where denial of service simply happens because kids are looking for a good time," Kaminsky said.
Unlike a commandeered PC, a DNS server is a valid and good citizen of the Internet. The systems play a critical role in connecting Web users, mapping text-based domain names such as www.cnet.com to the numerical IP addresses used by computers.
In this new kind of attack, an assailant would typically use a botnet to send a large number of queries to open DNS servers. These queries will be "spoofed" to look like they come from the target of the flooding, and the DNS server will reply to that network address.
Using DNS servers to do their dirty work offers key benefits to attackers. It hides their systems, making it harder for the victim to find the original source of the attack. But more important, reflecting an attack through a DNS server also allows the assault to be amplified, delivering a larger amount of malicious traffic to the target.
Amplified response
A single DNS query could trigger a response that is as much as 73 times larger than the request, according to a recent paper by Randal Vaughn, a professor of information systems at Baylor University, and Gadi Evron, the manager of the Computer Emergency Response Team at Israel's ministry of finance.
"Relatively small DNS requests can be employed to cause significantly larger replies from a name server to the spoofed IP address," Vaughn and Evron wrote.
What happens during a DNS reflector and amplification attack could be compared with trying to jam up somebody's mailbox, said Paul Mockapetris, the inventor of DNS and chief scientist at secure DNS provider Nominum. A basic way to do that would be to write and mail a lot of letters. However, those letters would be traceable, and you would also have to spend a lot of time writing.
"A better way to do it would be to send in response-request cards--the kind you find in magazines--circle everything and fill in the target's address," Mockapetris said. "That would make more junk show up in the mailbox and eliminate the obvious link to you." And that's what is happening with this type of DDOS attack, he said.
See more CNET content tagged:
DNS server,
DNS,
distributed denial of service,
VeriSign Inc.,
Nominum Inc.
http://www.google.co.uk/search?hl=en&q=Akamia+attack&meta=
http://www.google.co.uk/search?hl=en&q=Akamai+attack+n3td3v&spell=1
irresponsible, I think it highlights that we
need to move beyond IPv4 to something that
doesn't just assume a connection is legit. If a
connection is made apparently from ___, then the
ACK of receipt used in file transfers (i.e.,
packet received) could serve as a "you did send
this, right?". IPv6 has some improvements over
IPv4 as well.
So think.
See http://blogs.jhsoft.com/jhsoft/PermaLink,guid,f43ae4a8-b3cb-43ba-b9c0-261f4a4b509c.aspx
Anyone know of anything else?
Reverse lookups performed by hardware allow the latest Cisco devices (those employed with the Supervisor 32 or Supervisor 720 module) can determine whether the sender is valid or spoofed and it will drop spoofed DNS requests.
That said... this article should have been written with the title... "For those not willing to invest in proper protection... DNS continues to plage them!!!
The problem has been known for several years adn a valid solution exists... but it's only for those whom invest properly in the correct security equipment!!!
Walt
Reverse lookups performed by hardware allow the latest Cisco devices (those employed with the Supervisor 32 or Supervisor 720 module) can determine whether the sender is valid or spoofed and it will drop spoofed DNS requests.
That said... this article should have been written with the title... "For those not willing to invest in proper protection... DNS continues to plage them!!!
The problem has been known for several years adn a valid solution exists... but it's only for those whom invest properly in the correct security equipment!!!
Walt