Waiting for The Big One

Share On Facebook
Share On Twitter
Share On Linkedin

Whenever seismic activity picks up somewhere in the world,our local press here in California like to point out that were overdue for The Big One. They cite how frequently, on average, large earthquakes occur on the various faults that we cross on our daily commutes and note that its been many times that long since those faults have experienced a major tremor. Then they cut to footage of the aftermath of the Northridge or Loma Prieta earthquake or the movie 2012 and remind you to stock up on canned food,drinking water and ammunition. Sensationalist, sure, but relatively tame when compared with most of the fear mongering they use to try to boost ratings.

I’m waiting for The Big One to strike the Internet.

Over the past several years, we’ve seen some large Distributed Denial of Service attacks against Internet infrastructure, including DNS. In fact, as recently as August 6th,  the DNS hosting provider DNS Made Easy was hit with a DDoS attack that they estimated at over 50 Gbps.
It’s not difficult for a hacker to muster the resources necessary to generate that much traffic. One way to mount a big DDoS attack is to use open recursive name servers: Send one a tiny (less than 100 byte) query for the right RRset and it’ll reply with a DNS message of 4KB or so. That’s 40x amplification. Spoof the source address of the query and you can send those responses wherever you like. Or to whomever you don’t like.

So then the only trick is assemble enough open recursive name servers to make your DDoS attack really lethal. Lucky for you, they’re not hard to find. In our latest DNS surveyThe Measurement Factory found that roughly 80% of the estimated 12 million nameservers on the Internet were open to recursion. Say you find 10,000 of them, and can send each one 1000 spoofed queries per second. Assuming the responses are close to 4KB, thats 40 Gbps.

That’s enough bandwidth to swamp all but the largest carriers and infrastructure providers and it’d be trivial for the big botnets to pull off. The Storm botnet one of the biggest is conservatively thought to contain 160,000 infected computers. Assuming modest, 1Mbps ADSLconnections, each one of those could generate as many as 10,000 queries per second. You do the math.

We have a few tools in our arsenal to combat DDoS attacks, but not as many as we need. Anycast helps, because any one botnet-controlled computer can only see (and therefore attack) a single node in an anycast group. Ingress filtering would help, but too few ISPs do it. Theres no surefire protection against DDoS, though.
Which leaves us all vulnerable, and awaiting The Big One.

Labels:

Cricket Liu

Chief DNS Architect at Infoblox

Cricket is one of the world’s leading experts on the Domain Name System (DNS), and serves as the liaison between Infoblox and the DNS community. Before joining Infoblox, he founded an Internet consulting and training company, Acme Byte & Wire, after running the hp.com domain at Hewlett-Packard. Cricket is a prolific speaker and author, having written a number of books including “DNS and BIND,” one of the most widely used references in the field, now in its fifth edition.

View All Posts
×