An acquaintance of mine was surprised to see a picture of me driving a Lamborghini. So I said to him that just because I don’t own it does not mean I cannot drive it.
That’s how hackers think.
They don’t own hundreds of servers that can generate several gigabytes of network traffic, yet they can successfully launch massive sustained DDoS attacks capable of bringing down some of the most fortified enterprises.
How do they do it?
They “drive” thousands of servers on the Internet by commanding them to send legitimate requests to the destinations they want to attack. They do that by installing a piece of malware on them forming a network of infected computers, also known as a “botnet.” Every single request that comes in as part of the DDoS attack is by itself a seemingly valid request for the service. So they can slip right past conventional defenses.
In fact, this is becoming so prevalent that in an April, 2013 blog post on the Bankinfo Security site, Tracy Kitten reported that Bank of America, Citi, JP Morgan Chase, HSBC America, and other banks have begun to report DDoS attacks and their results in their SEC filings.
In another blog posting, DK Matai points out that these attacks, for which a hacktivist group calling itself Izz ad-Din al-Qassam is claiming credit, exceed 100 gygabytes per second!
Prolexic recently published a report showing that 75 percent of attack traffic targets the infrastructure of the network.
And guess what the DNS portion of that is: 7.25, which quadrupled in just one year! DNS is becoming the next most-popular attack vector.
Just as the whole new field of web-proxy analytics and web-application firewall technologies arose in the last decade as we saw HTTP and web-based attacks boom, new defenses now have to be developed for DNS.
DNS is too easy to attack.
What makes DNS so special or unique or lucrative to attackers?
First and foremost is the nature of the protocol. DNS queries are asymmetrical. The response is usually many times larger than the query itself, which means that your DNS system itself can be made to amplify an attack. Hackers can send one packet of data and cause a flurry that is amplified by thousands.
So effectively, to stop a business in its tracks, the bad guys don’t really need to fill up the network pipe and generate hundreds of gigs of traffic.
They can bring down your web server (but that’s and old trick and you probably have defenses in place).
Or they can bring down your DNS authoritative servers so that no one can find the website they are reaching out to. And unfortunately, that’s easy!
What you need is security from within.
That massive big-iron firewall you have lets ALL of the port 53 traffic in. So to fight the DNS threat, you need to focus not just on the servers but also on securing key assets like DNS infrastructure. Remember, all DDoS requests are individually valid, so a firewall will never block them. What we talking about is security from within.
- Use hardened, purpose-built DNS appliances instead of open-source technologies.
- Strictly control access, granting it to authorized users only.
- Close all unnecessary communication to and from the servers.
- Allow all the internal DNS traffic to go to designated DNS servers only.
- Block all other port-53-based traffic at your firewalls.
And that’s just the starting point—base zero, let’s call it. Stay tuned to this blog for what to do next.