Attack of the Network Traffic

Understanding and Avoiding Distributed Denial of Service (DDos) Attacks

• Amplification attacks – Really, attackers only need two things to generate a large amount of network that seems to come from multiple sources: the ability to spoof traffic (make it appear to come from someone else) and access to a mechanism or service that returns a large reply to a small request. If they can find those two things, they can turn a meager amount of spoofed traffic into a huge amount of replies destined to their intended victim. This is called an amplification attack.


The Role of Open DNS

The recent DDoS attack against a company called Spamhaus, a European-based spam-prevention service, brought the issue of DDoS amplification into the network security limelight. In this particular instance, attackers used a DNS amplification attack to generate huge amounts of malicious traffic against Spamhaus — more network traffic than the organization was equipped to handle. In fact, by taking advantage of the nature of DNS, the Spamhaus attack set a new record, peaking at 300 Gbps, or roughly six times larger than the DDoS attacks Wells Fargo & Co. experienced on March 23.

The domain name system (DNS) is basically the phone book of the Internet. When you visit a website by its domain name, your computer quickly and quietly uses DNS to look up the real Internet address associated with that name. DNS also provide the ability to spoof and generate large replies — the two things needed to implement a DDoS amplification attack.

DNS uses the UDP protocol for its communication, a connectionless protocol — in that a computer isn’t required to verify the source of a communication before accepting and responding to it. This means attacks can easily spoof DNS requests, making them appear to come from someone else. DNS servers can also send large replies. There are situations where small requests (maybe 60Kb) can be sent that result in large replies (4,000Kb or more). Combined, attackers can send small requests that generate big replies back to their spoofed victim.

In the Spamhaus case, attackers likely leveraged both a botnet and DNS amplification to break the DDoS record. An attack computer sent hundreds of small, spoofed DNS requests to various open DNS servers on the Internet, which pretended to come from Spamhaus’ own network. The DNS server amplified those requests exponentially by sending much larger replies back to Spamhaus. The attackers further magnified the attack by making all the computers in a botnet do the same thing. When the raw power of a big bot network and the magnification of DNS amplification are combined, the result is far too much network traffic and thus, denial of service.

The keys to this equation are the open DNS servers on the Internet, also called open DNS resolvers. Although DNS is like the phonebook of the Internet, it’s a phonebook that organizations should keep to themselves. At a high level, there are essentially two types of DNS services a business might have:

• Recursive DNS server – A recursive DNS server is intended to supply domain lookups to all employees within a network. It should be able to reply to queries about all sites on the Internet, but it should only reply to people within the organization by identifying their source address.

• Authoritative DNS server – An authoritative DNS server is essentially one that tells the rest of the world about a company or organization’s domain; however, the authoritative DNS server should only respond to queries about the company’s domain, not about all domains on the Internet.

A DNS server that openly replies to anyone’s request about any site on the Internet is classified as “open.” In DNS amplification attacks like the one Spamhaus experienced, the attackers take advantage of these open DNS resolvers to magnify their attack. While businesses need recursive DNS servers for their employees, they should not open these servers to requests from anyone on the Internet, as this leaves the network susceptible to large-scale DDoS attacks.

There are rumors that a DDoS attack, if significant enough, could potentially bring down the Internet itself. So far, evidence shows that these attacks have only caused online traffic jams, rather than a full-fledged virtual meltdown. Internet traffic passing through an area impacted by a DDoS attack can back up and clog the network, just as a traffic jam would do on a freeway. For the health of the Internet, it is important for businesses to understand these DDoS attacks and how to prevent them.