Blog Post

New Best Practice: Ingress Filtering to Deter DNS DDoS

By Bruce Van Nice

Posted on June 15, 2015 in: Security

Tags: , ,

DNS DDoS continues on the trend line established in 2014 – with tens of billions of malicious queries Internet-wide every day. Many of the domains attacked are lightly trafficked, but popular (Alexa 5000) domains are commonly targeted. For example alternative news sites, a university, and ecommerce sites have been attacked in the past couple of months. Attacks on popular domains require extra care when mitigating to avoid blocking legitimate queries.

Read more

Blog Post

Death of an Authoritative Server

By Hongliang Liu

Posted on June 13, 2015 in: Network, Security

Tags:

Recent analysis of DNS data revealed some interesting pictures. Drilling down into detailed data for a single resolver showed one of the DDoS attacks that occur every day. In this case a small domain, 888fy.com, representing a gaming site in China (a common category of targets) was attacked. The graph below shows 2 different attacks, each lasting several hours.

Read more

Blog Post

DNS Amplification Attacks and Truncated Responses

By Erik Wu

Posted on June 12, 2015 in: Security

Tags: , ,

Nominum Research shows about 15% of DNS DDoS traffic is amplification yet it still has impact (the rest are random subdomains). Data also shows bad guys continue to leverage open DNS resolvers which after more than 2 years might be considered an “old-days” technique, yet there are still around 17 million of them on the Internet. More recently our research teams have seen bots sending amplification queries.

Read more

Blog Post

Better than Bot Takedowns

By Thomas Orthbandt

Posted on March 3, 2015 in: Network, Security

Tags: , ,

Europol recently took control of the ramnit botnet in order to disrupt more than 3.2 million infections around the world. Ramnit is a sophisticated bot that appeared in 2010 and spread quickly. It enables remote access to infected machines and can steal files and credentials. It can also monitor web browsing and even use stolen website cookies to impersonate victims. Internet users are nearly always unaware they have been infected by malware and usually not well equipped to deal with infections even when they are made aware. It is also not realistic to expect all bots will be taken down, in fact the reverse is true, few bots are.

Read more

Blog Post

DNS DDoS Takes Down Hong Kong Paper

By Thomas Orthbandt

Posted on October 2, 2014 in: Security

The ongoing protests in Hong Kong are attracting worldwide attention. Less visible is a connection to the ongoing DNS-based DDoS attacks that started early this year. On Sunday Sept 28 attackers used DNS based DDoS to target Passion Times, a local Hong Kong newspaper (http://www.passiontimes.hk/). The site was brought down for most of the day and had to resort to Facebook (https://www.facebook.com/passiontimes) in order to get the news out.

Read more

Blog Post

Response Rate Limiting Bites Back?

By Thomas Orthbandt

Posted on September 24, 2014 in: Security

A new kind of DDoS attack is currently stressing DNS infrastructure everywhere. Attackers gain access to DNS resolvers through home gateways with open DNS proxies. Proxies forward large bursts of queries with spoofed IP addresses to whatever resolver they are configured to use, usually an ISP resolver. With these attacks the overwhelming majority of queries require recursion so resolvers in turn query authoritative servers to get answers.

Read more

Blog Post

Digging Deep into DNS Data Discloses Damaging Domains

By Thomas Orthbandt

Posted on September 17, 2014 in: Security

A Terabyte stream of anonymized DNS data collected every day from around the world reveals lots of interesting things.  Nominum researchers have developed algorithms to sort through trillions of transactions and find what is usually a tiny fraction that aren’t legitimate.   Some are queries for controlling malware, some are to send spam, and most recently lots more queries are for DDoS.

Read more

Blog Post

Progress on Open Home Gateways

By Thomas Orthbandt

Posted on July 14, 2014 in: Network, Security

Tags: , ,

We’ve written extensively about open DNS proxies running in home gateways (“open home gateways”). Affected devices proxy DNS queries received on their WAN interface to whatever DNS resolver they are configured to use. This is typically the DNS configured by the ISP. The DNS has always been a handy tool for various kinds of attacks and the presence of these gateways gives attackers a back door into provider networks.

Read more

Blog Post

Deterring DNS Amplification: Considerations for Filtering at Network Borders

By Thomas Orthbandt

Posted on April 29, 2014 in: Security

Tags: ,

A new variant of DNS amplification attack relies on home gateways with open DNS proxies to forward DNS queries to ISP resolvers. To launch this exploit attackers can deploy their exploit code anywhere on the Internet that allows address spoofing, a compromised server in a hosting facility for example. From there DNS queries can be targeted at any network with open home gateways. These queries enter ISP networks at border routers.

Read more

Blog Post

Software is Strategic, Hardware is Generic

By Thomas Orthbandt

Posted on December 16, 2013 in: Network, Security

Tags: , ,

Network Functions Virtualization (NFV) is getting a lot of attention in Telecom circles these days.  Initiated by leading providers around the world the NFV effort now has more than 150 participants crossing all of the functional boundaries in networking.   NFV has been motivated by the astonishing array of appliances that have crept into provider networks.  Even DNS appliances have emerged but the value proposition is almost exclusively around convenience rather than optimizing DNS for carrier environments.

Read more

1 3 4 5 6 7 8