DNS DDoS continues on the trend line established in 2014 – with tens of billions of malicious queries Internet-wide every day. Many of the domains attacked are lightly trafficked, but popular (Alexa 5000) domains are commonly targeted. For example alternative news sites, a university, and ecommerce sites have been attacked in the past couple of months. Attacks on popular domains require extra care when mitigating to avoid blocking legitimate queries.
Recent analysis of DNS data revealed some interesting pictures. Drilling down into detailed data for a single resolver showed one of the DDoS attacks that occur every day. In this case a small domain, 888fy.com, representing a gaming site in China (a common category of targets) was attacked. The graph below shows 2 different attacks, each lasting several hours.
Nominum Research shows about 15% of DNS DDoS traffic is amplification yet it still has impact (the rest are random subdomains). Data also shows bad guys continue to leverage open DNS resolvers which after more than 2 years might be considered an “old-days” technique, yet there are still around 17 million of them on the Internet. More recently our research teams have seen bots sending amplification queries.
Europol recently took control of the ramnit botnet in order to disrupt more than 3.2 million infections around the world. Ramnit is a sophisticated bot that appeared in 2010 and spread quickly. It enables remote access to infected machines and can steal files and credentials. It can also monitor web browsing and even use stolen website cookies to impersonate victims. Internet users are nearly always unaware they have been infected by malware and usually not well equipped to deal with infections even when they are made aware. It is also not realistic to expect all bots will be taken down, in fact the reverse is true, few bots are.
The ongoing protests in Hong Kong are attracting worldwide attention. Less visible is a connection to the ongoing DNS-based DDoS attacks that started early this year. On Sunday Sept 28 attackers used DNS based DDoS to target Passion Times, a local Hong Kong newspaper (http://www.passiontimes.hk/). The site was brought down for most of the day and had to resort to Facebook (https://www.facebook.com/passiontimes) in order to get the news out.
A new kind of DDoS attack is currently stressing DNS infrastructure everywhere. Attackers gain access to DNS resolvers through home gateways with open DNS proxies. Proxies forward large bursts of queries with spoofed IP addresses to whatever resolver they are configured to use, usually an ISP resolver. With these attacks the overwhelming majority of queries require recursion so resolvers in turn query authoritative servers to get answers.
A Terabyte stream of anonymized DNS data collected every day from around the world reveals lots of interesting things. Nominum researchers have developed algorithms to sort through trillions of transactions and find what is usually a tiny fraction that aren’t legitimate. Some are queries for controlling malware, some are to send spam, and most recently lots more queries are for DDoS.
We’ve written extensively about open DNS proxies running in home gateways (“open home gateways”). Affected devices proxy DNS queries received on their WAN interface to whatever DNS resolver they are configured to use. This is typically the DNS configured by the ISP. The DNS has always been a handy tool for various kinds of attacks and the presence of these gateways gives attackers a back door into provider networks.
A new variant of DNS amplification attack relies on home gateways with open DNS proxies to forward DNS queries to ISP resolvers. To launch this exploit attackers can deploy their exploit code anywhere on the Internet that allows address spoofing, a compromised server in a hosting facility for example. From there DNS queries can be targeted at any network with open home gateways. These queries enter ISP networks at border routers.
Network Functions Virtualization (NFV) is getting a lot of attention in Telecom circles these days. Initiated by leading providers around the world the NFV effort now has more than 150 participants crossing all of the functional boundaries in networking. NFV has been motivated by the astonishing array of appliances that have crept into provider networks. Even DNS appliances have emerged but the value proposition is almost exclusively around convenience rather than optimizing DNS for carrier environments.