id2956907matrix434036100606417orig
Security

Attackers launch multi-vector DDoS attacks that use DNSSEC amplification

DDoS attacks are becoming increasingly sophisticated, combining multiple attack techniques that require different mitigation strategies, and abusing new protocols.

Incident responders from Akamai recently helped mitigate a DDoS attack against an unnamed European media organization that peaked at 363G bps (bits per second) and 57 million packets per second.

While the size itself was impressive and way above what a single organization could fight off on its own, the attack also stood out because it combined six different techniques, or vectors: DNS reflection, SYN flood, UDP fragment, PUSH flood, TCP flood, and UDP flood.

Almost 60 percent of all DDoS attacks observed during the first quarter of this year were multi-vector attacks, Akamai said in a report released last month. The majority of them used two vectors, and only 2 percent used five or more techniques.

The DNS (Domain Name System) reflection technique used in this large attack was also interesting, because attackers abused DNSSEC-enabled domains in order to generate larger responses.

DNS reflection involves abusing misconfigured DNS resolvers that respond to spoofed requests. Attackers can send DNS queries to these servers on the Internet by specifying the target's Internet Protocol (IP) address as the request's source address. This causes the server to direct its response to the victim instead of the real source of the DNS query.

This reflection is valuable for attackers because it hides the real source of the malicious traffic and because it can have an amplification effect: the responses sent to the victim by DNS servers are larger in size than the queries that triggered them, allowing attackers to generate more traffic than they could otherwise.

The use of queries for domain names configured for Domain Name System Security Extension (DNSSEC) only adds to the amplification factor, as DNSSEC responses are even larger than regular ones. That's because they have additional data used for the cryptographic verification.

DNSSEC allows clients to authenticate the source of DNS data as well as the data's integrity, ensuring that DNS responses haven't been altered en route and were provided by the authoritative servers for the queried domain names.

"During the past few quarters, Akamai has observed and mitigated many DNS reflection and amplification DDoS attacks that abuse DNSSEC-configured domains," the Akamai researchers said in an advisory released Tuesday.

The company has observed the same DNSSEC-configured domain name being abused in DDoS amplification attacks against targets in different industries.

A separate Akamai advisory released Tuesday describes several DDoS campaigns this year against the network of the Massachusetts Institute of Technology. One of those attacks occurred in April and used DNS reflection by triggering responses for cpsc.gov and isc.org, two DNSSEC-enabled domain names.

"The domain owners themselves are not at fault and don't feel the effects of these attacks," the Akamai researchers said. "Attackers abuse open resolvers by sending a barrage of spoofed DNS queries where the IP source is set to be the MIT target IP. Most of these servers will cache the initial response so multiple queries are not made to the authoritative name servers."

Unfortunately, DNS is not the only protocol that can be used for DDoS amplification. The NTP, CHARGEN and SSDP protocols are also commonly used in such attacks and, unfortunately, as long as misconfigured servers and devices are available on the Internet, this technique will continue to be favored by attackers.

IDG Insider

PREVIOUS ARTICLE

« Why your employees are overworked, burnt out and unmotivated

NEXT ARTICLE

IBM grows in cloud and data analytics but overall revenue slides »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Amazon Cloud looms over China: Bezos enters Alibaba home ground

Lewis Page gets down to business across global tech

Poll

Do you think your smartphone is making you a workaholic?