Previous posts (Part 1 and Part 2) offer background on DNS amplification attacks being observed around the world. These attacks continue to evolve. Early attacks focused on authoritative servers using “ANY” queries for domains that were well known to offer good amplification. Response Rate Limiting (RRL) was developed to respond to these early attacks. RRL, as the name suggests, is deployed on authoritative servers to rate limit responses to target names. It basically groups requesters IP addresses (/24 for IPV4 and /56 for IPv6) together with the name and sends a truncated response to requests that exceed a configured limit.
This post follows an earlier post about DNS amplification attacks being observed around the world. DNS Amplification Attacks are occurring regularly and even though they aren’t generating headlines targets have to deal with floods of traffic and ISP infrastructure is needlessly stressed – load balancers fail, network links get saturated, and servers get overloaded. And far more intense attacks can be launched at any time.
Geoff Huston’s recent post about the rise of DNS amplification attacks offers excellent perspective on the issue. Major incidents like the Spamhaus attack Geoff mentions at the beginning of his post make headlines, but even small attacks create noticeable floods of traffic. These attacks are easy to launch and effective even with relatively modest resources and we see evidence they’re occurring regularly. Although DNS servers are not usually the target of these attacks the increase in traffic and larger response sizes typically stress DNS infrastructure and require attention from operation teams.
Over the past few weeks we’ve been helping customers who’ve been experiencing unusual spikes in traffic on their resolvers. Data obtained using Vantio Real Time Visibility and querystore commands revealed a substantial increase in the number of ANY queries, in some cases hundreds of millions. Additional data showed the names being queried turned very small DNS questions into very large DNS answers. Both indicate a recent type of DDoS attack that leverages the DNS to amplify traffic and flood a target with it.
Nominum, the provider of the N2, an open and scalable network-based service delivery platform for communication service providers (CSPs) joined the influential global industry body, TM Forum. Nominum is helping the world’s leading CSPs offer personalized, secure connected experiences that enhance the overall customer experience. Nominum’s N2 platform allows CSPs to leverage customer behavior data and network assets to deliver the next generation in customer experience. Using the platform, CSPs can use intelligent policy management, advanced notification and action tools to increase brand loyalty, and monetize new tools and services.
Nominum analyzed customer data from around the world to find the top cyber threats ranked by degree of infection. The result was a mix of new and modern bots, and legacy bots.
Nominum analyzed customer data from around the world to find the mobile malware that presents the greatest risk to mobile subscribers. The top five mobile-device-only malware threats are:
In previous posts, Pat discussed the risks associated with BYOD, and a DNS-based approach for reducing those risks. Essentially this approach consisted of making use of an enterprise’s caching DNS server to monitor and block DNS queries to known botnet command and control (C&C) domains. Finding these C&C domains is something Nominum does quite well.
In part 1, I talked about some of the risks associated with BYOD. But there are actions you can take to greatly reduce this risk. One effective method for limiting the risk of BYOD is to employ DNS-based security intelligence techniques. DNS-based security intelligence makes use of an enterprise’s caching DNS server to monitor and block DNS queries to known botnet command and control (C&C) domains. These domains are the domain names of the servers that are in the control of the bot master for purposes of botnet command and control. Bots will perform a DNS query for one or more of these domains in an attempt to connect to these servers in order to receive their instructions. By monitoring queries to these domains, all infected clients, including BYOD, can be identified on the network. Moreover, by subsequently blocking access to the domains, malware responsible for the bot infection is denied the critical instructions it needs to function.
Ah, BYOD. How I love thee.
BYOD, or “Bring Your Own Device”, gives me choices. I can use a device at work I actually like and am most effective with. (How did I ever get by without my iPad?)