Attack of the Network Traffic

June 13, 2013
Understanding and Avoiding Distributed Denial of Service (DDos) Attacks

Many computer users are familiar with customary tactics hackers use to target their prey — sending malicious links or attachments that prompt a victim to click, thus installing malware or Trojans on the targeted computer and opening a door into the victim’s network. However, attacks that happen on the back-end are much more mysterious.

Online criminals have long attacked computers connected to the Internet by overwhelming their targets with more traffic than their infrastructure can possibly handle, often with the help from a powerful botnet. The scale of these bandwidth-clogging attacks has continued to grow over the years, and the techniques used to launch them keeps evolving. That said, many IT pros still overlook this class of attack, and don’t take the proper precautions to prevent them.

DDoS vs. DoS

Attacks that overwhelm network services with massive amounts of traffic are known as distributed denial of service (DDoS) attacks, and cyber criminals use them to bring down websites, network services, and company networks.

DDoS attacks are markedly different from the denial of service (DoS) attack, the DDoS namesake. Generally, a DoS attack is designed to disrupt a computer, program or network service. A “Plain Jane” DoS attack relies on an underlying technical weakness or vulnerability in the system being attacked. For example, perhaps a particular file server doesn’t handle certain malformed network requests properly. If an attacker sends such a request to the server, it crashes and visitors can’t download their files. They are denied service.

From the attacker’s point of view, DoS attacks are easy to exploit; the attacker just needs to know the right network traffic to send, or sequence of events to trigger. DoS attacks don’t take many resources or overwhelming force to achieve; however, DoS attacks have an Achilles’ heel: IT pros can easily defend against them. Since DoS attacks depend on some sort of specific software weakness, once the weakness is fixed, attackers are thwarted. Furthermore, security vendors can create signatures that identify the specific traffic used to trigger DoS flaws, and easily block any attacker who sends that type of traffic.

On the other hand, DDoS attacks are much harder to defend against. Unlike basic DoS attacks, a DDoS attack does not rely on any underlying vulnerability or weakness in the system being attacked. Rather, it relies on overwhelming force. The concept is simple: network servers — even the huge, load-balanced, clustered ones running the largest enterprises — can only handle a finite amount of network traffic. If more network traffic is generated than a server can handle, and that traffic appears to be from many different sources from different geographic locations, the server can be overwhelmed.

Attackers don’t even have to use specially crafted traffic, either; legitimate traffic is better because it is disguised as normal customer requests, and the victim won’t be able to differentiate the two. The server is overwhelmed by traffic volume, and since the attack seems to comes from hundreds (or even thousands) of sources, it’s tremendously difficult to block or halt.

How DDoS Traffic is Generated

The concept behind DDoS attacks is simple; however, the challenge lies in how to trigger huge amounts of legitimate network traffic from a variety of sources. A single computer isn’t able to generate nearly the volume of bandwidth necessary to take an average network server, and traffic from a single source can easily be blocked. So how do attackers get the power necessary to generate a deluge of network traffic from distributed sources?

There are essentially two ways this can be accomplished:

  • Botnets – Botnets are networks of compromised victim computers. By using basic infection tactics, attackers infect thousands, and in some case millions, of victim computers. The attacker can then assume control and harness the power of all these computers for a DDoS attack. It can take a while to harvest enough victim machines to perform a large-scale DDoS attack, but experts have seen botnet-based DDoS attacks grow in scope, some generating 20 to 70 Gbps of attack traffic.
  • Amplification attacks – Really, attackers only need two things to generate a large amount of network that seems to come from multiple sources: the ability to spoof traffic (make it appear to come from someone else) and access to a mechanism or service that returns a large reply to a small request. If they can find those two things, they can turn a meager amount of spoofed traffic into a huge amount of replies destined to their intended victim. This is called an amplification attack.

The Role of Open DNS

The recent DDoS attack against a company called Spamhaus, a European-based spam-prevention service, brought the issue of DDoS amplification into the network security limelight. In this particular instance, attackers used a DNS amplification attack to generate huge amounts of malicious traffic against Spamhaus — more network traffic than the organization was equipped to handle. In fact, by taking advantage of the nature of DNS, the Spamhaus attack set a new record, peaking at 300 Gbps, or roughly six times larger than the DDoS attacks Wells Fargo & Co. experienced on March 23.

The domain name system (DNS) is basically the phone book of the Internet. When you visit a website by its domain name, your computer quickly and quietly uses DNS to look up the real Internet address associated with that name. DNS also provide the ability to spoof and generate large replies — the two things needed to implement a DDoS amplification attack.

DNS uses the UDP protocol for its communication, a connectionless protocol — in that a computer isn’t required to verify the source of a communication before accepting and responding to it. This means attacks can easily spoof DNS requests, making them appear to come from someone else. DNS servers can also send large replies. There are situations where small requests (maybe 60Kb) can be sent that result in large replies (4,000Kb or more). Combined, attackers can send small requests that generate big replies back to their spoofed victim.

In the Spamhaus case, attackers likely leveraged both a botnet and DNS amplification to break the DDoS record. An attack computer sent hundreds of small, spoofed DNS requests to various open DNS servers on the Internet, which pretended to come from Spamhaus’ own network. The DNS server amplified those requests exponentially by sending much larger replies back to Spamhaus. The attackers further magnified the attack by making all the computers in a botnet do the same thing. When the raw power of a big bot network and the magnification of DNS amplification are combined, the result is far too much network traffic and thus, denial of service.

The keys to this equation are the open DNS servers on the Internet, also called open DNS resolvers. Although DNS is like the phonebook of the Internet, it’s a phonebook that organizations should keep to themselves. At a high level, there are essentially two types of DNS services a business might have:

  • Recursive DNS server – A recursive DNS server is intended to supply domain lookups to all employees within a network. It should be able to reply to queries about all sites on the Internet, but it should only reply to people within the organization by identifying their source address.
  • Authoritative DNS server – An authoritative DNS server is essentially one that tells the rest of the world about a company or organization’s domain; however, the authoritative DNS server should only respond to queries about the company’s domain, not about all domains on the Internet.

A DNS server that openly replies to anyone’s request about any site on the Internet is classified as “open.” In DNS amplification attacks like the one Spamhaus experienced, the attackers take advantage of these open DNS resolvers to magnify their attack. While businesses need recursive DNS servers for their employees, they should not open these servers to requests from anyone on the Internet, as this leaves the network susceptible to large-scale DDoS attacks.

There are rumors that a DDoS attack, if significant enough, could potentially bring down the Internet itself. So far, evidence shows that these attacks have only caused online traffic jams, rather than a full-fledged virtual meltdown. Internet traffic passing through an area impacted by a DDoS attack can back up and clog the network, just as a traffic jam would do on a freeway. For the health of the Internet, it is important for businesses to understand these DDoS attacks and how to prevent them.

DDoS Protection is a Community Effort

As scary and complex as these huge DDoS attacks might sound, it isn’t too difficult to prevent cyber attackers from misusing DNS servers. There are two things that can prevent DNS amplification attacks; however, the whole Internet community must do them together for success.

The first step is to close unnecessary open DNS resolvers. According to the Open Resolver Project (openresolverproject.org), there are approximately 27 million open DNS resolvers in the world today. If the organizations that manage these open resolvers would restrict them to only respond to internal queries, it would make it much more difficult for DDoS attackers to use those DNS server against victims on the Internet.

It isn’t difficult to secure and close DNS servers to external traffic. If DNS administrators restricted recursive DNS queries to their internal networks, it would do a lot to prevent attackers from using them in amplifications attacks. This is more of an awareness issue than a technical one.

The second step is to prevent spoofing on the Internet. There’s almost no reason someone in a network should be able to send traffic that looks like it comes from someone else. Firewalls, unified threat management appliances, routers, and other network gateway devices are almost always able to detect internal spoofing by recognizing when an internal address sends traffic that appears to be from a different network. If everyone on the Internet — especially service providers — would use this feature to block spoofing at the network level, then attackers would not be able to launch these debilitating types of attacks.

In short, those who don’t secure their own DNS resolvers are keeping others at risk. If you run an open DNS resolver or a network gateway device, follow the best practices outlined above to make it harder for the bad guys to misuse servers and make the Internet a safer place for both businesses and consumers.

Corey Nachreiner, CISSP, is Director of Security Strategy for WatchGuard and an expert on this emerging form of DDoS attack. To request more information about Watchguard, visit www.securityinfowatch.com/10863399.