A high-power server used by a Canadian security company was hijacked in a massive distributed denial of service “DNS flood” attack against an online gaming web site earlier this month.
The attack, as reported in SC Magazine, was launched against a client of website security company Incapsula, which the article says was able to fend off what turned out to be a high volume attack that remained at 25 million packets per second (mpps) throughout its entire seven-hour duration.
In an exchange with the magazine, Incapsula product evangelist Igal Zeifman said that the attackers engaged two separate high-capacity servers to launch the attack. The irony is that both servers – the Canadian one along with another in China that was also exploited for the attack – belong to anti-DDoS service providers. And it was the very strength of their network infrastructure that enabled the attackers to launch an overwhelming attack – what Zeifman called ‘fighting fire with fire.’
Incapsula was able to identify the servers used in the attack because many of the DNS queries held non-spoofed IP data. The two security companies confirmed to Incapsula that their servers had been used for the attacks.
Needless to say the identity of the two anti-DDoS companies whose servers were compromised, as well as that of Incapsula’s online gaming customer, were not disclosed. But in a May 12 blog post on Incapsula’s site titled “DNS Flood of 1.5 billion requests a minute,” Zeifman was forthcoming about the seriousness of this type of threat.
“With multiple reports coming from different directions, and with several large scale attacks on our own infrastructure, we are now convinced that what we are seeing here is an evolving new trend – one that can endanger even the most hardened network infrastructures,” Zeifman wrote.
The danger of DNS flood attacks, Zeifman says, is that unlike the common DNS “amplification” attacks, they are symmetrical DDoS attacks generated by scripts running on several compromised botnet machines. And unlike amplification attacks, which work by exhausting the target’s bandwidth capacity, DNS floods aim to exhaust server-side assets such as memory or CPU.
While DNS amplification attacks rely on a simple lookup query with the spoofed IP of the target to generate much larger DNS responses, DNS floods have no such multiplier effect. This in turn means that they need to find and exploit existing massive botnet infrastructures to be successful
Zeifman says that anti-DDoS providers, with their wide traffic pipes and close proximity to the Internet backbone, have exactly the kind of infrastructure needed. “This, combined with the fact that many vendors are more concerned with ‘what’s coming in’ as opposed to ‘what’s going out,’ makes them a good fit for hackers looking to execute massive non-amplified DDoS attacks.”
Aside from the “poetic twist” of turning erstwhile protectors into aggressors, DNS floods are extremely dangerous, Zeifman warns. DNS amplification attacks are easy to beat as uninitiated DNS responses are suspect and can be filtered at the edge of the network fairly easily. But the seemingly legitimate DNS flood queries can’t be dismissed before they’re individually processed at the server level.
“With on-edge filtering bypassed, and the path to the server CPU cores laid wide open,” he warns, “DNS floods have the potential to bring down even the most resilient of networks.”
That potential is limited only by the extent of the high-end resources attackers can exploit, which makes it critical for service providers to strictly control access to their high-powered servers.