Hackers are increasingly turning to DNS reflection to amplify the volume of distributed denial of service (DDoS) attacks. The technique has been known about for years but seldom used in anger, until the debilitating DDoS attack in March that peaked at 300 Gbps against anti-spam organisation Spamhaus and cloud-based DDoS …
That is the trouble with security firms
As soon as one person works it out and uses the exploit, some security firm will try to show how clever they are by documenting it (or as good as)
Thus the skiddies will Ctrl+C it to death
Re: That is the trouble with security firms
Because it's far better that the exploit only ever get documented and passed around attackers, obviously.
And we've got absolutely no history of companies warned in private either ignoring security holes in their products and services, or suing people that point them out. Oh no.
Public disclosure of vulnerabilities is the *only* way we have to both warn everyone of what's going on and force the hand of the purveyors of the vulnerability. It is unequivocally A Good Thing (TM).
This has echos of 'protection' in the 60s. Arrange a massive, reflective DDoS attack on major financial institutions then launch a legititmate consultancy practice offering protection against the same, whilst publishing the technique.
To be fair
An attack that is successfully defended will go un-noticed by end users so the only opportunity of the Supplier getting more customers is to publicise their successes. And I'd rather site owners get cover than be denied access.
As for publishing the technique....this has been available through 'tinternet for a number of years. Just that it's a bit harder to achieve than down loading that idiotic Low orbit thing that was all the rage not so long ago.
For one, I'm surprised this method has not been used large scale before.
You don't seee any parrots do you? It must work..
Re: anti-parrot wand
"You don't seee any parrots do you? It must work.."
You do around southwest London, thousands of 'em.
Configure your DNS servers to only allow zone transfer requests from their backup servers?
"Configure your DNS servers to only allow zone transfer requests from their backup servers?"
That is largely done already. Besides, a zone transfer is done over TCP so you can't cause vast amounts of data to hit the target by spoofing the source (sender) address.
The attack here relies on UDP, and is related to DNS servers that allow recursive lookups to anyone
gamers turned haters?
You got something against gamers turned haters? What are you, some kind of gamer turned hater hater?
I really wasn't aware that you could change the color of an attack, or that color was even a factor. I also think if 'blacking' an attack is effective then maybe those who are doing the blacking should reconsider where their real priorities lie. Actions based solely on color are never going to stop if we allow this sort of thing to continue: Even if it works it is still wrong.
New idea for DDos prevention company
“Because of the proactive DDoS defense strategies Prolexic had put in place with this client, no malicious traffic reached its website and downtime was avoided. In fact, the company wasn’t aware it was under attack.”
I'm going to start a company with just a marketing department which will sign up customers then occasionally tell them that we outwitted a vast DDos attack to keep them paying the subscriptions.
If an actual DDos attack occurs, I'll tell them that the hackers simply had found a way through our systems!
Does anyone want to invest?
Career advancement through imaginary success
We're aware of a case in which a company's sysadmin generated a bunch of fake reports of "DDoS attacks" that never happened, scaring non-technical executives silly with dire warnings of pending Armageddon.
Then he hired a whole raft of "anti-DDoS" firms to protect against these fake attacks.
Then he convinced the aforementioned executives he was invaluable for defending against attacks that never happened, by spending money on services that never did anything but sit idle.
The whole thing fell apart when an exec with some technical competence requested excerpts from the logfiles to do some analysis of the DDoS attacks, purely out of curiosity to see the raw data. Only there were no logfiles because there were no DDoS attacks. And of course the anti-DDoS companies couldn't be bothered to make fake reports on the fake attacks... so the jig was up.
So, yes protecting companies from nonexistent threats can be not only a good business model... it can even be a short-term career boost. At the expense of one's integrity, of course. There's that...
Re: Career advancement through imaginary success
That's just fraud. Anyone can do that but it is completely uncivilized. The least they could have done was to DDOS their client then stop it through their judicious application of 'IT Magic'. That way they meet all the criteria for providing a DDOS mitigation service and defending against an attack.
Correction and a fix
First of all, we're not talking zone transfers (AXFR) here. They can only come from authoritative nameservers and this functionality should be locked down to only be available from a few local IPs.
The technique here is to send a 'regular' request for some large zone to a cache nameserver, only with the source IP spoofed so the reply goes to that IP, not to the one really doing the asking. There are lists of large zones floating around the net, as well as lists of open cache nameservers.
The victim will see a massive flood of DNS replies, all originating from more or less random cache nameservers, all with a source port of 53 tcp or udp.
Now, most organizations have their 'own' cache nameservers and thus should never allow DNS-traffic from the outside from other IPs than those (if they're outside the local network) or any inbound DNS-traffic unless part of an already established connection or part of establishing one, which could be futher limited to those with a source IP of a local cache nameserver (used for recursive lookups).
Sure, the attack can saturate the uplink pipe completely, rendering all local firewalling futile, but then the rules are just applied one step up the pipeline and you're back in business. If not, go one more step.
"known about for years"
At least 15 years. It was being used in IRC attacks in the mid-late 1990s.
I'm surprised that
1: This is only being noticed publically now
2: That there are still so many DNS servers open to "host -l" - apart from the reflection/amplification, it's a security risk to give the entire DNS structure of your zone.
prolexic ... hmm ... blocked them the other day
I blocked a network on the firewall the other day - it was sending some rather interesting high volume probes towards our network. It turned out to be prolexic, looking for someone to hit. They seemed like a familiar name, and I saw that not only are they abusing our servers, but they are complaining about abuse. Hm. I wonder if anyone will ever remove the block I put in?