How the Attack Worked
A Denial of Service attack simply overloads the victim's servers by flooding them with data, more data than the servers can handle. This can disrupt the victim's business, or knock its website offline. Launching such an attack from a single Web location is ineffective, as the victim can quickly block that traffic. Attackers often launch a Distributed Denial of Service attack via thousands of hapless computers controlled by a botnet.
David Gibson, VP of Strategy for global data-protection company Varonis, explained the process in simple terms. "Imagine some attacker can spoof your phone number so that your number shows up on other people's phones when the attacker calls," he said. "Now imagine the attacker calls a bunch of people and hangs up before they answer. You'll probably get a bunch of calls back from those people... Now imagine thousands of attackers doing this—you'd certainly have to change your phone number. With enough calls, the entire phone system would be impaired."
It takes time and effort to set up a botnet, or money to rent one. Rather than go to that trouble, CyberBunker's attack took advantage of the DNS system, an absolutely essential component of today's Internet.
CyberBunker located tens of thousands of DNS servers that were vulnerable to IP address spoofing—that is, sending a Web request and faking the return address. A small query from the attacker resulted in a response hundreds of times as large, and all of those big responses hit the victim's servers. Extending Gibson's example, it's as if each of the attacker's phone calls turned your number over to rabid telemarketers.
What Can Be Done?
Wouldn't it be nice if someone would invent technology to foil such attacks? In truth, they already have, thirteen years ago. In May of 2000, the Internet Engineering Task Force released the Best Current Practices paper known as BCP38. BCP38 defines the problem and describes "a simple, effective, and straightforward method... to prohibit DoS attacks which use forged IP addresses."
"80 percent of internet providers have already implemented the recommendations in BCP38," noted Gibson. "It's the remaining 20 percent that remain responsible for allowing spoofed traffic." Putting the problem in simple terms, Gibson said, "Imagine if 20 percent of the drivers on the road didn't obey traffic signals—it would no longer be safe to drive."
Lock It Down
The security problems described here happen at a level way, way above your home or business computer. You're not the one who can or should implement a solution; that's a job for the IT department. Importantly, the IT guys have to correctly manage the distinction between two different kinds of DNS servers. Corey Nachreiner, CISSP and Director of Security Strategy for network security company WatchGuard, explained.
"An authoritative DNS server is one that tells the rest of the world about your company or organization's domain," said Nachreiner. "Your authoritative server should be available to anyone on the Internet, however, it should only respond to queries about your company's domain." In addition to the outward-facing authoritative DNS server, companies need an inward-facing recursive DNS server. "A recursive DNS server is intended to supply domain lookups to all your employees," explained Nachreiner. "It should be able to reply to queries about all sites on the Internet, but it should only reply to people in your organization."
The problem is, many recursive DNS servers don't correctly limit responses to the internal network. To accomplish a DNS reflection attack, the bad guys just need to find a bunch of those incorrectly configured servers. "While businesses do need recursive DNS servers for their employees," concluded Nachreiner, "they SHOULD NOT open these servers to requests from anyone on the Internet."
Rob Kraus, Director of Research at Solutionary's Engineering Research Team (SERT), pointed out that "knowing what your DNS architecture truly looks like from the inside as well as the outside can help identify gaps in your organizations DNS deployment." He advised ensuring that all DNS servers are fully patched and secured to spec. To make sure you've done it right, Kraus suggests "using ethical hacking exercises [to] help uncover misconfigurations."
Yes, there are other ways to launch DDoS attacks, but DNS reflection is especially effective because of the amplification effect, where a small amount of traffic from the attacker generates a huge amount going into the victim. Shutting down this particular avenue will at least force cybercriminals to invent a new kind of attack. That's progress, of a sort.
Article from pcmag.com
Understanding the SpamHaus DDoS Attack
