Have We Reacted To The DNS DDoS Trap?

DDoS

March 26th marked “opening day” for the season of DNS reflection attacks when an email spammer, CyberBunker, fought with an anti-spam service, Spamhaus. The reported traffic peak of 300 gigabits per second was double the previous record. But has the threat of another such attack lessened since March? Well, no.

The more interesting question here is whether there is anything we can do? And for this, I believe there are measures we should be taking to understand the threat and protect ourselves.

Experts are saying that these enormous volumetric attacks will gain in popularity due to the fact that they leverage existing DNS servers on the Internet – there is no need to recruit one’s own botnet, or even rent one. These types of attacks are called reflection (and sometimes amplification) because a relatively few, small requests directed at a DNS server result in a significantly higher amount of response traffic that is forwarded towards the victim.

Enterprises will be asking themselves what can be done, either at the organisational level or as an industry, to address the threat. The good news is that this type of systemic problem has been faced before, and to some extent, fixed. Remember when email spam was the majority of Internet traffic? DNS reflection attacks are a similar problem, though, thank goodness, there isn’t the same insane direct profit motive that drove email spam.

The main trend that enables DNS reflection attacks is the continued tolerance of open DNS resolvers on the Internet. A DNS server is considered to be an “open” resolver if it will accept and forward name queries for domains that it does not serve. These open resolvers can then be used in this way to generate the traffic load against the victim.

Typically a resolver does not need be open – it is usually just misconfiguration that causes this and the owner/operation doesn’t even know it is happening. The Open DNS resolver project lists twenty five million of these servers. If they were considered a botnet it would be among the largest and most powerful botnets ever created.

Another aspect that enforces the status quo and enables DNS reflection attacks is the devotion to the minimisation of latency. Everyone wants the Internet to be fast (who wouldn’t?) and a responsive DNS system is seen as key. The very, very large DNS systems deployed by carriers can and do regularly respond to millions of queries per second.

Single-packet requests and responses via User Datagram Protocols (UDP) are used to achieve this scale. But the stateless nature of UDP means that it does not provide identity and is effectively “untraceable” – attackers can very easily spoof UDP packets and the DNS servers have no way to tell that this has been done and that by responding they may be unwittingly attacking an innocent victim.

So, is there a way out of this DNS DDoS trap?

A smarter DNS infrastructure is the answer; a smarter infrastructure that is mindful about not just its positive impact but also its destructive ability. Enterprises, vendors and services can work together to bring the DNS infrastructure to this higher plane of intelligence.

Vendors need to make smarter DNS products. The current defensive techniques, such as ignoring the first request, are crude and aren’t solving the reflection problem. The new class of DNS servers must be aware of attacks and rate-limit their responses in pathological situations. One idea, whose time might have come, is to detect attack conditions and then redirect incoming queries to use Transmission Control Protocol (TCP) for the duration of the attack.

Initially this may imply higher latency (due to TCP overhead). This will mean that some servers will need to be upgraded since many Internet DNS servers will suffer a significant performance penalty during TCP, but its effect should be temporary (just the duration of an attack).

Businesses should tighten their configurations to prevent the kind of amplification requests that caused the March 26th attack. Specifically, there is very little reason that a server should respond with an entire zone dump except to specifically whitelisted addresses. Companies can also block the requests of the “any” record type, for which there aren’t many common uses anyway.

One of the contributing factors that have helped mitigate email spam (itself a volumetric attack) was the existence of blacklisting services (such as a Spamhaus, there is irony here). Spamhaus monitored the Internet for open mail relays and advertised that intelligence as a service – enterprises used the Spamhaus lists to automatically block spam. For DNS, there are several free services that monitor the millions open DNS relays on the Internet.

“Shame isn’t working”

So far, the only method attempted to close the twenty five million open resolvers is mild public shaming via these public lists. Clearly though, merely being on this list isn’t working, and in fact, publishing the list is like handing out the addresses of a giant botnet to anyone who wants to use it! Since shame isn’t working, perhaps the time has come for more extreme measures. Moving forward, if “good” DNS servers stop responding to the blacklisted open resolvers, this may force the indolent to clean up their acts, just as services such as Spamhaus have done for email.

The conflict between CyberBunker and Spamhaus may be over, as the individual attacker was recently arrested (after being shown to have launched his attack from his own high-tech van). However, unless the industry builds a smarter DNS infrastructure, the DDoS war with DNS reflection attacks may just be starting.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone
Joakim Sundberg

Joakim Sundberg is a 14-year veteran of the IT security business. He has held several senior and leading positions with some of the largest and most respected IT security companies in the world. He follows the trends and methods used over the last few years by organised cybercrime groups on the Internet. Today, Joakim is a Security Solution Architect at F5 Networks, focusing primarily on network security and DDoS prevention.