The threat posed by DDoS attacks is ever-growing and something I have talked about a numerous occasions at security conferences this year. As it continues to be a topic which interests and concerns the industry as a whole, I decided to write down my predictions around what 2013 will carry with it and why I think DNS Reflection attacks (and other amplification attacks) will play a more predominant part of DDoS attacks in the future.
For those of you I have spoken to on the topic before, it’s a theme I regularly stress. The major drive of these types of DNS attacks is the decreasing number of bots available for rent. One explanation is that the authorities have been more effective of closing down major botnets.
With the decreasing number of bots now available, hactivists and other cyber criminals are now finding new ways in which to amplify their attacks.
So how does a DNS reflection attack work? It actually quite simple, and is based around amplifying the data you generate by reflecting it via an open DNS resolver.
Imagine that you send a DNS query with a packet size of 40 bytes to a DNS server and get back 2500 bytes in the DNS response. That sounds like a pretty good deal, right? Now, what if you spoofed the source IP to reflect the attack against your target/victim via the open DNS resolver? You can see where this is leading… The DNS resolver will generate a huge amount of data and send it to the spoofed IP address.
Because DNS is using a stateless protocol called UDP there is really no source address verification. This means you can easily spoof the address and achieve the result of an amplified packet size in the attack.
I believe DNS reflection attacks will be a preferred tool for three simple reasons:
1.) In the list of top ten AS numbers with most open DNS resolvers you find around ~20 000 open DNS resolvers (*)
2.) You can amplify an attack with a factor of 250 and it requires little bandwidth from the cyber criminals. The more bots you are in control of, the bigger effect it can have
3.) As the attack is reflected, very often the open DNS resolver has little logging turned on so the cyber criminals can easily hide behind them
Over the last two years, we have seen an increasing number of attacks using this technique and it has been very effective for cyber criminals. A few attacks have recorded speeds of up to 35 Gbps - more than enough to take out an average company’s internet connection.
One thing to remember, however, is that very often the DDoS attack is just a smoke screen for a more sophisticated attack that can potentially cost the company even more money.
The problem here is to find the needle in the haystack. How do your security products cope with the influx of traffic during a DDoS attack. More importantly, can they find things like SQL injection attacks in the storm of traffic?
So how can you protect your business in the light of such threats? The approach is very often layered, which means that you need a combined defense for network layer DDoS attacks (L2-L4) with DDoS attacks on application layer (L5-L7).
I believe that a combination of on-premise equipment for detecting network based DDoS attacks and attacks on the application level allows you to close the window for cyber criminals and more efficiently stop any attack on a network and application layer.
To answer the question in the headline, the risk of being “DDoS attacked” has never been greater. DDoS attacks have become the de-factor standard for online protests and it will continue to be used by hacktivists to make themselves heard, whether for political, ideological, financial or religious reasons. Our job is to ensure we continue to build the best solutions to prevent such attacks.
Feel free to reach out to discuss the best way to protect your business with any of our system engineers!
References: * HostExploit’s – World hosts report Q3 2012