DNS amplification attacks require little skill or effort, but can cause major damage
Biggest concentration of the world’s vulnerable routers is in Asean and China
MORE than 24 million home routers on the Internet have open DNS (Doman Name System) proxies which expose Internet service providers (ISPs) to DNS-based DDoS attacks, and the greatest concentration of such compromised routers can be found in Asean and China.
New research by Nominum, which specialises in DNS software and Internet activity applications, reveals that DNS-based DDoS (Distributed Denial of Service) amplification attacks have significantly increased in recent months, targeting vulnerable home routers worldwide.
A simple attack can create 10s of Gbps of traffic to disrupt provider networks, enterprises, websites, and individuals anywhere in the world, the Redwood City, California-based company said in a statement.
Nominum products include the Vantio ThreatAvert software which protects DNS servers from DDoS attacks. Among the highlights of its research, compiled from its own networks of Vantio ThreatAvert boxes inside ISPs:
In February 2014, more than 5.3 million home routers were used to generate attack traffic;
During an attack in January 2014, more than 70% of total DNS traffic on a provider’s network was associated with DNS amplification; and
DNS is by far the most popular protocol for launching amplification attacks, with more available amplifiers than the next four protocols combined.
Nominum’s data also revealed that almost half of the world’s vulnerable routers are located in Asia, and the biggest concentration of these corrupted gateways is in Asean and China, the company told Digital News Asia (DNA) via email.
In Asean, these include:
“There is not much users can do since they likely will not be aware of the problem,” Bruce Van Nice, Internet security expert and product director for Nominum, told DNA.
“The ISP truly plays a bigger role in the short term [when it comes to] protecting against these attacks. Replacing routers might be an option for ISPs but it could be a long, difficult and expensive process,” he said in an email.
DNS amplification attacks require little skill or effort and cause major damage, which why they are increasingly popular, Nominum said in its statement.
Because vulnerable home routers mask the target of an attack it is difficult for ISPs to determine the ultimate destination and recipient of huge waves of amplified traffic.
Traffic from amplification amounts to trillions of bytes a day, disrupting ISP networks, websites and individuals, Nominum said. The impact on ISPs is fourfold:
The malicious traffic saturates available bandwidth;
There is extra cost generated by a spike in support calls caused by intermittent service disruption;
Revenue impact as poor Internet experience leads to increased churn or retention expenses; and
An impact on the ISP’s reputation impact as unwanted traffic is directed toward peers.
“Existing in-place DDoS defences do not work against today’s amplification attacks, which can be launched by any criminal who wants to achieve maximum damage with minimum effort,” said Sanjay Kapoor (pic),chief marketing officer and senior vice president of strategy at Nominum.
“Even if ISPs employ best practices to protect their networks, they can still become victims, thanks to the inherent vulnerability in open DNS proxies,” he added.
Nominum said it recently launched Vantio ThreatAvert to address the gaps in existing ISP DDoS defences.
The solution leverages Nominum’s Global Intelligence Xchange (GIX), a database of malicious DNS amplification domains that is continuously updated; as well as Precision Policies, which enable ISPs to pinpoint and neutralise attack traffic.
Together they enable ISPs to protect their networks proactively, Nominum claimed. More information about Nominum’s solution to address DNS-based DDoS amplification attacks can be found here.
DNS hijacking: Government needs to step in
Infoblox tackles DNS security, eyes Malaysian market
(2013 Top 10 Story) Malaysian sites hit by DNS poisoning
Malaysia’s domain registrar MyNIC breached … again (Updated)
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.