Open DNS resolvers increasingly abused to amplify DDoS attacks, report says

The frequency of DNS-based DDoS amplification attacks has increased, researchers say

Open and misconfigured DNS (Domain Name System) resolvers are increasingly used to amplify distributed denial-of-service (DDoS) attacks, according to a report released Wednesday by HostExploit, an organization that tracks Internet hosts involved in cybercriminal activities.

In the latest edition of its World Hosts Report, which covers the third quarter of 2012, the organization included data about open DNS resolvers and the Autonomous Systems -- large blocks of Internet Protocol (IP) addresses controlled by network operators -- where they are located.

That's because, according to HostExploit, incorrectly configured open DNS resolvers -- servers that can be used by anyone to resolve domain names to IP addresses -- are increasingly abused to launch powerful DDoS attacks.

DNS amplification attacks date back more than 10 years and are based on the fact that small DNS queries can result in significantly larger DNS responses.

An attacker can send rogue DNS requests to a large number of open DNS resolvers and use spoofing to make it appear as if those requests originated from the target's IP address. As a result, the resolvers will send their large responses back to the victim's IP address instead of the sender's address.

In addition to having an amplification effect, this technique makes it very hard for the victim to determine the original source of the attack and also makes it impossible for name servers higher up on the DNS chain that are queried by the abused open DNS resolvers to see the IP address of the victim.

"The fact that so many of these unmanaged open recursors exist allow the attackers to obfuscate the destination IPs of the actual DDoS targets from the operators of the authoritative servers whose large records they're abusing," said Roland Dobbins, solutions architect in the Security & Engineering Response Team at DDoS protection vendor Arbor Networks, Thursday via email.

"It's also important to note that the deployment of DNSSEC has made DNS reflection/amplification attacks quite a bit easier, as the smallest response the attacker will stimulate for any query he chooses is at least 1300 bytes," Dobbins said.

Even though this attack method has been known for years, "DDoS amplification is used far more frequently now and to devastating effect," Bryn Thompson of HostExploit wrote Wednesday in a blog post.

"We have seen this recently and we see it increasing," Neal Quinn, the chief operating officer of DDoS mitigation vendor Prolexic, said Thursday via email.

"This technique allows relatively small botnets to create large floods toward their target," Quinn said. "The problem is serious because it creates large volumes of traffic, which can be difficult to manage for many networks without use of a cloud mitigation provider."

Dobbins couldn't immediately share any data about the recent frequency of DNS-based DDoS amplification attacks, but noted that SNMP (Simple Network Management Protocol) and NTP (Network Time Protocol) reflection/amplification attacks "can also generate very large, overwhelming attack sizes."

In its report, HostExploit ranked the Autonomous Systems with the largest number of open DNS resolvers in their IP address spaces. The top one, controlled by Terra Networks Chile, contains more than 3,200 open resolvers in a pool of around 1.3 million IPs. The second one, controlled by Telecomunicacoes de Santa Catarina (TELESC) -- now part of Oi, Brazil's largest telecom operator -- contains nearly 3,000 resolvers in a space of 6.3 million IP addresses.

"It should be stressed open recursive nameservers are not a problem in themselves; it is the mis-configuration of a nameserver where the potential problem lays," HostExploit said in its report.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags arbor networksonline safetysecurityProlexicExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?