DNS servers do hackers' dirty work
New twist on denial-of-service attacks could intensify cybercriminals' threat to online business.
Earlier this year, VeriSign experienced attacks on its systems that were larger than anything it had ever seen before, it said last week. The Mountain View, Calif.-based company, which helps companies do business on the Web, discovered that the assaults weren't coming from commandeered "bot" computers, as is common. Instead, its machines were under attack by DNS (domain name system) servers.
"DNS is now a major vector for DDOS," Dan Kaminsky, a security researcher said, referring to distributed denial-of-service attacks. "The bar has been lowered. People with fewer resources can now launch potentially crippling attacks."
Just as in any DDOS attack, the target system--which could be a victim's Web server, name server or mail server--is inundated with a multitude of data coming from multiple systems on the Internet. The goal is to make the target unreachable online by flooding the data connection or by crashing it as it tries to handle the incoming data.
Such attacks were once the tool of bored teenagers who got a kick out of seeing Web sites crumble. But these days, DDOS attacks are sometimes used by criminals looking to extort money from online businesses--especially those on the margins, such as gambling sites and the adult-entertainment industry.
"We're past the era where denial of service simply happens because kids are looking for a good time," Kaminsky said.
Unlike a commandeered PC, a DNS server is a valid and good citizen of the Internet. The systems play a critical role in connecting Web users, mapping text-based domain names such as www.cnet.com to the numerical IP addresses used by computers.
In this new kind of attack, an assailant would typically use a botnet to send a large number of queries to open DNS servers. These queries will be "spoofed" to look like they come from the target of the flooding, and the DNS server will reply to that network address.
Using DNS servers to do their dirty work offers key benefits to attackers. It hides their systems, making it harder for the victim to find the original source of the attack. But more important, reflecting an attack through a DNS server also allows the assault to be amplified, delivering a larger amount of malicious traffic to the target.
Amplified response
A single DNS query could trigger a response that is as much as 73 times larger than the request, according to a recent paper by Randal Vaughn, a professor of information systems at Baylor University, and Gadi Evron, the manager of the Computer Emergency Response Team at Israel's ministry of finance.
"Relatively small DNS requests can be employed to cause significantly larger replies from a name server to the spoofed IP address," Vaughn and Evron wrote.
What happens during a DNS reflector and amplification attack could be compared with trying to jam up somebody's mailbox, said Paul Mockapetris, the inventor of DNS and chief scientist at secure DNS provider Nominum. A basic way to do that would be to write and mail a lot of letters. However, those letters would be traceable, and you would also have to spend a lot of time writing.
"A better way to do it would be to send in response-request cards--the kind you find in magazines--circle everything and fill in the target's address," Mockapetris said. "That would make more junk show up in the mailbox and eliminate the obvious link to you." And that's what is happening with this type of DDOS attack, he said.
It is generally possible to stop the more-common bot-delivered attack by blocking traffic from the attacking machines, which are identifiable. But blocking queries from DNS servers brings problems in its wake. A DNS server has a valid role to play in the workings of the Internet. Blocking traffic to a DNS server could also mean blocking legitimate users from sending e-mail or visiting a Web site.
Lowdown on Net threat
Key things to know about distributed denial-of-service attacks sent using recursive DNS queries.
Why can DNS be abused for a DDOS attack?
As many as 75 percent of all DNS servers are open to requests from anyone on the Net, a feature called "recursive queries."
How does such an attack work?
A hacker uses a botnet to send a large number of DNS queries to open DNS servers. These queries are "spoofed" to look like they come from the target of the attack. The DNS servers that receive the query will reply to that network address.
How does this amplify the attack?
A small DNS request sent out by a bot can result in a much larger response from the DNS server. The amplification factor can reach a factor higher than 70.
Why does abusing DNS protect the attacker?
The malicious traffic seen by the victim now no longer comes from the hacker's botnet, but from DNS servers. This could help hide the network of zombie PCs.
Why can't the malicious traffic be blocked?
DNS servers are play a vital role on the Internet. If a company blocks its DNS server, legitimate users may no longer be able to send e-mail or surf to its Web site.
What can be done to limit these attacks?
DNS administrators should disable the recursive functionality or limit it to their own, trusted users. Also, targets of such attacks could protect themselves using technologies designed to ward them off.
Source: "DNS Amplification Attacks" by Randal Vaughn and Gadi Evron, CNET News.com research
"That's why this is a nasty attack," said Rob Fleischman, the chief technology officer at Simplicita, a Denver-based security start-up. "The DNS system is an area that is going to be under more attack. It is going to have closer scrutiny and more security."
At the heart of the problem are so-called recursive name servers, which are DNS servers that allow queries from anyone on the Net. There are about 7.5 million DNS servers, and estimates on how many are left wide open to queries range from 600,000 to 5.6 million, according to Vaughn and Evron's report.
"People who are running these open servers need to clean up their act. They are--witting or unwitting, lazy or just don't care--participants in these attacks," Mockapetris said. "They are the Typhoid Marys of the Internet."
To protect their systems, organizations with DNS servers can disable the recursive feature that lets anyone look up addresses. Alternatively, they can manage the server settings so that the recursive feature is available only to insiders. Internet service providers, as well as businesses and individuals, are among those who run DNS servers.
Targets of DDOS attacks could protect themselves using technologies to ward of DDOS attacks, which are sold by vendors including Prolexic Technologies.
In the early days of the Internet, recursive DNS servers served mobile users and cached people's requests for Web site addresses, making the Net scale much better, Mockapetris said. An example of the latter was the day Jerry Garcia died in 1995, he said.
"Everybody was going off to find every Grateful Dead Web site everywhere in the world," he said. "The first person to do that would cache it in the DNS server of their access provider, so the next person would not have to go out to Katmandu to look it up."
But fast forward 10 years, and recursive servers should be something of the past, Mockapetris said. "Now people are looking for ways to attack the network, and the open recursive servers can be used as unwitting cat's paws in a denial-of-service attack," he said. "Once upon a time, everybody just trusted everybody, and you would say, 'Fine, use my server.' Now you have to be more careful about that."
Kaminsky agreed. "If you are a DNS administrator, you shouldn't be providing recursive services to the Internet anymore. It is unfortunately no longer a responsible thing to do," he said.
Increasingly, DNS is going to be used in attacks, experts said, and their administrators can no longer afford to be lazy.
"There are multiple of these kinds of storms that are rising, and service providers and enterprises need to figure out how to make sure that their sea walls, dams and dikes and levees are high enough to withstand them," Mockapetris said.