October 25, 2012, 3:50 PM — Open and misconfigured DNS (Domain Name System) resolvers are increasingly used to amplify distributed denial-of-service (DDoS) attacks, according to a report released Wednesday by HostExploit, an organization that tracks Internet hosts involved in cybercriminal activities.
In the latest edition of its World Hosts Report, which covers the third quarter of 2012, the organization included data about open DNS resolvers and the Autonomous Systems -- large blocks of Internet Protocol (IP) addresses controlled by network operators -- where they are located.
That's because, according to HostExploit, incorrectly configured open DNS resolvers -- servers that can be used by anyone to resolve domain names to IP addresses -- are increasingly abused to launch powerful DDoS attacks.
DNS amplification attacks date back more than 10 years and are based on the fact that small DNS queries can result in significantly larger DNS responses.
An attacker can send rogue DNS requests to a large number of open DNS resolvers and use spoofing to make it appear as if those requests originated from the target's IP address. As a result, the resolvers will send their large responses back to the victim's IP address instead of the sender's address.
In addition to having an amplification effect, this technique makes it very hard for the victim to determine the original source of the attack and also makes it impossible for name servers higher up on the DNS chain that are queried by the abused open DNS resolvers to see the IP address of the victim.
"The fact that so many of these unmanaged open recursors exist allow the attackers to obfuscate the destination IPs of the actual DDoS targets from the operators of the authoritative servers whose large records they're abusing," said Roland Dobbins, solutions architect in the Security & Engineering Response Team at DDoS protection vendor Arbor Networks, Thursday via email.
"It's also important to note that the deployment of DNSSEC has made DNS reflection/amplification attacks quite a bit easier, as the smallest response the attacker will stimulate for any query he chooses is at least 1300 bytes," Dobbins said.
Even though this attack method has been known for years, "DDoS amplification is used far more frequently now and to devastating effect," Bryn Thompson of HostExploit wrote Wednesday in a blog post.
"We have seen this recently and we see it increasing," Neal Quinn, the chief operating officer of DDoS mitigation vendor Prolexic, said Thursday via email.