DoS (Denial of Service) attacks cover any type of malicious interference that degrades website services. Attackers use bots to clog the data pipeline of a server, reducing the amount of bandwidth available to legitimate users. It can also flood the capacity of a server, forcing it to reset. Richard Stallman, the software freedom activist, has stated that the use of DoS constitutes ‘Internet Street Protests’, giving the impression that DoS instigators are some sort of folk heroes. Many businesses have a different perspective. DoS has been responsible for significant economic damage. A lawsuit filed by Earthlink against hacker Khan C. Smith alleges that the 1998 illegal Defcon event perpetrated billions in lost revenue. In the United States, DoS is considered a federal crime. The Computer Fraud and Abuse Act list penalties that can include prison terms lasting years.
Symptoms of DoS
Common targets of DoS are high-profile web servers, such as credit card payment gateways, banks, and even root nameservers. They have also become very common in business. In 2014, the frequency of DoS attacks reached 28 / hour. For this reason, the symptoms have become recognizable warning signs. These include:
- Atypically slow network performance, either accessing the website or downloading files
- Inability to access a particular website, or any website
- Forced wireless or wired disconnects
- Significant increase in email spam
- Long term denial of availability of internet services
DoS Defense
Server management software can detect many types of DoS attacks. In fact, the regular release of operating system security updates targets vulnerabilities and prepares systems to recognize threats. Once a DoS attack is detected, systems can respond by blocking the source computer. It can also attempt to identify the computer and shut it down.
Multiple Source Computers
Hackers have intensified the effect of DoS attacks by targeting specific servers with multiple source computers. Any attack that includes two or more sources is called DDoS (Distributed Denial of Service.) This greatly increases the ability of the attacker to consume resources. It also makes blocking and detecting the source of the attacks much more difficult.
The problem with DDoS is that attackers do not have to own multiple machines. They can enlist other computers by distributing Trojan viruses. This allows cybercriminals to mount a distributed attack without the consent of the source computer owners.
Amplification Attacks
DDoS attackers do not necessarily need to infect a cadre of additional source computers. Instead, they can use a spoofed attack. In this strategy, hackers send information requests to a large number of computers. These requests all have the return address of the server targeted for the attack. The large number of responses from the spoofed computers floods the server.
Many internet services can be used for this spoofing strategy. Some are very difficult to block. One of the highest bandwidth amplification factors belong to spoofs employing the DNS. Amplification factors can reach as high as 179.
A Recent DNS Flooder Tool
Akamai is a leading provider of cloud services. Akamai’s Prolexic Security Engineering and Research Team (PLXsert) has detected a new type of DDoS campaign, beginning in October 4, 2014. The amplification leverages the ability to illicit large responses from relatively small request packets. The cybercriminals implement the strategy by creating large DNS TXT (text records) to increase the magnitude of the attacks. Recent attacks have included fragments of text extracted from White House press releases.
Continued Use
PLXsert has evidence that these new types of DNS attacks continue to be employed today. Hackers continue to craft custom TXT records, directing illegitimate traffic to DNS servers and other sites. With this technique, attackers have an effective way to overwhelm the target site and prevent its ability to respond to legitimate requests.
The DNS Toolkit Particulars
The DNS Flooder Toolkit is a cybercriminal’s dream. It offers the following features:
- Attacks are completely anonymous – the toolkit hides the IP address of the attacker.
- The toolkit requires few resources. Amplification allows the attacker to operate with his or her own modest number of servers. This mitigates the need to hunt for vulnerable DNS servers to serve as DoS sources.
- The toolkit is easy to use, reducing the barrier of the level of expertise required of the hacker.
As of February 11, 2015, StateOfTheInternet.com considers the toolkit high risk. Administrators of high-profile sites should be aware of the DNS Flooder and take appropriate measures.
The Players
The primary target of crafted DNS TXT amplification is entertainment sites. These comprise 75.0% of the total number of targets. Other primary targets include education and high tech consulting websites. Specific targets include isc.org (the Internet Systems Consortium for more secure and reliable Internet use) and a number of .gov websites.
The original 2014 attacks have been identified as coming from the GuessInfoSys.com domain. Dig results reveal malicious requests from GuessInfoSys.com continue to appear on the Internet. These requests initiate the attack by using open resolvers as intermediate targets to reflect traffic to a specified target. These attacks last a matter of days, and then begin to taper as server administrators block the requests.
DNS Reflection Mitigation
With the high frequency of DDoS attacks and the easy of launching a DNS Flooder campaign, the security community has developed several mitigation techniques. Because the Flooder uses similar tactics to other types of reflection attacks, including SNMP, SSDP, and CHARGEN, the protection providers have been able to leverage current technology.
The primary effect on the target service is the reduction of available resources due to the overall bandwidth generated. For this reason, DNS reflection attacks can be successfully defeated at the network edge. Where available bandwidth exceeds the attack volume, an access control list (ACL) offers sufficient protection. Some DNS servers may attempt to try the response again through TCP, but no transfer will initiate and the retry will fail. One of the best mitigation strategies is to use a DDoS cloud-based protection service. Akamai Technologies are one of the leading providers of such a service.
In the meantime, watchdog organizations such as PLXsert continue to monitor these types of DDoS campaigns. They will continue to protect the online community by posting future advisories and releasing updates to their protection services as needed.