Rarely do online security issues enter the public consciousness. Large-scale loss of user data is most likely to reach the media, prompting companies to implement data security procedures to mitigate the risks of a potential public relations disaster. Other attacks, including those on the infrastructure of the Internet itself are largely absent from public dialogue. Last year, following a series of massive DDoS attacks that used the Domain Name System, the media ran with the story that the Internet itself was under threat. That was an overstatement, but it was certainly true that the DNS amplification attacks, among the largest DDoS attacks ever seen, cost companies a significant amount of revenue, both in lost business and in mitigation costs.
But after the initial flurry of concern and media attention, the focus turned elsewhere. There wasn’t the public outcry that surrounds data breaches, which may be why many companies have failed to properly implement the best practices that would prevent online criminals from using the DNS system to knock sites and services off the Internet. There are still many hundreds of thousands of open DNS resolvers, some estimates put it at 20 percent of all DNS servers.
The DNS distributed denial of service attacks are a form of amplification attack, which is why they are so popular with criminals. The technique allows them to multiply the amount of data they can send to a target by orders of magnitude. The attack depends on there being open recursive DNS servers available — those that do not restrict the IPs from which they accept DNS requests.
The attacker crafts a small DNS request they know will prompt a DNS server to issue a much larger response. Typically, the initial request is of the order of 60 bytes, while the response is around 4000 bytes. Usually, a DNS server will send the response to the server that originated the request, but it’s possible to spoof the target’s IP address so that the response is sent to the target machine rather than originating server.
Using a botnet, attackers can send thousands of such DNS requests, bombarding the target IP with enormous amounts of data — frequently saturating the target’s bandwidth, rendering them unable to respond to legitimate requests. In effect, the target becomes unreachable to the outside world. When the target is business critical services like company sites, eCommerce stores, or call centers, the loss of business can be catastrophic.
It is possible to filter out the rogue DNS requests but it is expensive and error prone, besides which, it is an example of treating the symptoms and ignoring the underlying disease. The only way to truly protect against DNS amplification attacks is to reduce the number of open recursive DNS resolvers available to attackers. But until companies fall victim themselves, they have little incentive to invest in securing their servers.
That’s shortsighted; for the good of the Internet at large and the online community, companies should implement procedures that will deprive attackers of one of their most powerful weapons.
Photo credits: jeffedoe