Nominum Research shows about 15% of DNS DDoS traffic is amplification yet it still has impact (the rest are random subdomains). Data also shows bad guys continue to leverage open DNS resolvers which after more than 2 years might be considered an “old-days” technique, yet there are still around 17 million of them on the Internet. More recently our research teams have seen bots sending amplification queries.
Europol recently took control of the ramnit botnet in order to disrupt more than 3.2 million infections around the world. Ramnit is a sophisticated bot that appeared in 2010 and spread quickly. It enables remote access to infected machines and can steal files and credentials. It can also monitor web browsing and even use stolen website cookies to impersonate victims. Internet users are nearly always unaware they have been infected by malware and usually not well equipped to deal with infections even when they are made aware. It is also not realistic to expect all bots will be taken down, in fact the reverse is true, few bots are.
The ongoing protests in Hong Kong are attracting worldwide attention. Less visible is a connection to the ongoing DNS-based DDoS attacks that started early this year. On Sunday Sept 28 attackers used DNS based DDoS to target Passion Times, a local Hong Kong newspaper (http://www.passiontimes.hk/). The site was brought down for most of the day and had to resort to Facebook (https://www.facebook.com/passiontimes) in order to get the news out.
A new kind of DDoS attack is currently stressing DNS infrastructure everywhere. Attackers gain access to DNS resolvers through home gateways with open DNS proxies. Proxies forward large bursts of queries with spoofed IP addresses to whatever resolver they are configured to use, usually an ISP resolver. With these attacks the overwhelming majority of queries require recursion so resolvers in turn query authoritative servers to get answers.
A Terabyte stream of anonymized DNS data collected every day from around the world reveals lots of interesting things. Nominum researchers have developed algorithms to sort through trillions of transactions and find what is usually a tiny fraction that aren’t legitimate. Some are queries for controlling malware, some are to send spam, and most recently lots more queries are for DDoS.
Reducing overhead, delivering ROI, and going green have all become business priorities in recent years. Data centers alone now represent more than 2% of total worldwide energy consumption, with growth rates of as much as 12% per year. That’s a huge chunk of megawatts spinning processors! Reducing energy consumption is not only an eco-priority, it’s also a business imperative as overhead costs rise.
We’ve written extensively about open DNS proxies running in home gateways (“open home gateways”). Affected devices proxy DNS queries received on their WAN interface to whatever DNS resolver they are configured to use. This is typically the DNS configured by the ISP. The DNS has always been a handy tool for various kinds of attacks and the presence of these gateways gives attackers a back door into provider networks.
Integrated DNS-based applications and solutions provider Nominum is in talks with Latin American telecom operators to sell its recently launched digital marketing tool N2, CMO Sanjay Kapoor told BNamericas.
N2 leverages internet activity data from the Domain Name System (DNS), an underutilized resource that is freely available, Kapoor explained.
A new variant of DNS amplification attack relies on home gateways with open DNS proxies to forward DNS queries to ISP resolvers. To launch this exploit attackers can deploy their exploit code anywhere on the Internet that allows address spoofing, a compromised server in a hosting facility for example. From there DNS queries can be targeted at any network with open home gateways. These queries enter ISP networks at border routers.