New DDoS attack based on deluge of dots

A technique for worsening the effects of a distributed denial-of-service-type attacks uses a feature in the DNS system that was once designed to be helpful. Patching it could involve reconfiguring millions of domain-name servers, or even rethinking how the system works.

A DDoS attack, of course, involves bombarding a target site with garbage so no other traffic can get through. Some attackers, especially the ones who do these attacks for a living (think extortion), amplification techniques that increase the flow of packets while further disguising the true source of the onslaught. One of these, which SecureWorks is currently examining, leverages a feature in the domain-name system, making it appear that the victim's computer is lost and in need of a list of all the root domain nameservers. That's a long list, and the forged command is quite short -- in fact, it's "." . A tiny effort on behalf of the attacker, therefore, is leveraged into a significant amount of DDoS distress.

Earlier forms of DNA amplification attacks were the subject of research scrutiny (download PDF here) as early as 2006, and there are mitigation techniques that can be deployed by those who take the proper care when configuring their servers. However, those earlier techniques relied on recursivity to function.

All an attacker has to do in the new style is spoof the source and insert the IP address of the target, so the earlier fixes, which managed the problem in terms of recursivity, don't hold the fort. (The SecureWorks link above includes configuration advice for diligent sysadmins.) Some observers estimate that attackers using the technique have been able to leverage as many as 375 domain-name servers for every infected machine in their botnet.

Amplification can, as you'd expect, give a relatively small attacker the reach and ferocity of a big one. However, these things do tend to get test runs -- and according to reportage at The Register, this one's in trials now, targeting ladyboy sites -- weirdly appropriate for an attack that pretends to be what it's not.

© 1998-2019 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.