The ongoing protests in Hong Kong are attracting worldwide attention. Less visible is a connection to the ongoing DNS-based DDoS attacks that started early this year. On Sunday Sept 28 attackers used DNS based DDoS to target Passion Times, a local Hong Kong newspaper (http://www.passiontimes.hk/). The site was brought down for most of the day and had to resort to Facebook (https://www.facebook.com/passiontimes) in order to get the news out.
A new kind of DDoS attack is currently stressing DNS infrastructure everywhere. Attackers gain access to DNS resolvers through home gateways with open DNS proxies. Proxies forward large bursts of queries with spoofed IP addresses to whatever resolver they are configured to use, usually an ISP resolver. With these attacks the overwhelming majority of queries require recursion so resolvers in turn query authoritative servers to get answers.
A Terabyte stream of anonymized DNS data collected every day from around the world reveals lots of interesting things. Nominum researchers have developed algorithms to sort through trillions of transactions and find what is usually a tiny fraction that aren’t legitimate. Some are queries for controlling malware, some are to send spam, and most recently lots more queries are for DDoS.
Reducing overhead, delivering ROI, and going green have all become business priorities in recent years. Data centers alone now represent more than 2% of total worldwide energy consumption, with growth rates of as much as 12% per year. That’s a huge chunk of megawatts spinning processors! Reducing energy consumption is not only an eco-priority, it’s also a business imperative as overhead costs rise.
We’ve written extensively about open DNS proxies running in home gateways (“open home gateways”). Affected devices proxy DNS queries received on their WAN interface to whatever DNS resolver they are configured to use. This is typically the DNS configured by the ISP. The DNS has always been a handy tool for various kinds of attacks and the presence of these gateways gives attackers a back door into provider networks.
Integrated DNS-based applications and solutions provider Nominum is in talks with Latin American telecom operators to sell its recently launched digital marketing tool N2, CMO Sanjay Kapoor told BNamericas.
N2 leverages internet activity data from the Domain Name System (DNS), an underutilized resource that is freely available, Kapoor explained.
A new variant of DNS amplification attack relies on home gateways with open DNS proxies to forward DNS queries to ISP resolvers. To launch this exploit attackers can deploy their exploit code anywhere on the Internet that allows address spoofing, a compromised server in a hosting facility for example. From there DNS queries can be targeted at any network with open home gateways. These queries enter ISP networks at border routers.
I don’t think anyone would dispute software is the new currency in networks.
The Network Functions Virtualization (NFV) initiative calls for defining and deploying the next generation of network functions with software, rather than specialized hardware. Software Defined Networking (SDN) is another visible trend which although currently focused on data centers, is predicted to impact networking markets broadly in the future.
Network Functions Virtualization (NFV) is getting a lot of attention in Telecom circles these days. Initiated by leading providers around the world the NFV effort now has more than 150 participants crossing all of the functional boundaries in networking. NFV has been motivated by the astonishing array of appliances that have crept into provider networks. Even DNS appliances have emerged but the value proposition is almost exclusively around convenience rather than optimizing DNS for carrier environments.
Previous posts (Part 1 and Part 2) offer background on DNS amplification attacks being observed around the world. These attacks continue to evolve. Early attacks focused on authoritative servers using “ANY” queries for domains that were well known to offer good amplification. Response Rate Limiting (RRL) was developed to respond to these early attacks. RRL, as the name suggests, is deployed on authoritative servers to rate limit responses to target names. It basically groups requesters IP addresses (/24 for IPV4 and /56 for IPv6) together with the name and sends a truncated response to requests that exceed a configured limit.