Gumming up the internet: When DNS servers attack..

Filed Under: Denial of Service, Featured, Vulnerability

The much discussed threat to stop the internet, termed "Operation Blackout", purportedly made by Anonymous, did not transpire this weekend.

Post on PasteBin about Operation Blackout

What caused so much attention was not just that it was from someone claiming to be Anonymous, who have shown themselves to be very effective at conducting internet attacks in the past.

The threat gave some quite specific details about how the attack would be done, and what would be attacked. The type was a Distributed Denial Of Service (DDoS) attack and the target was the Domain Name Service (DNS).

Web browserThere were many reasons why the attack, as originally described, would not have succeeded.

At a basic level, announcements were issued by others also claiming to be Anonymous, saying they were not responsible for the threatened action.

However, it is perhaps complacent to ignore the threat that was made, as DDoS attacks are becoming very widespread and the DNS is critical to the functioning of the web.

So, what are DDoS attacks, why is the DNS so important, and could a DDoS attack really decapitate the internet by attacking the DNS?

Denial Of Service Attacks are known by a number of names: smurf attacks, pings of death, teardrop attacks are just some of them. These are all just variants of the same fundamental attack, which the CERT Coordination Centre at Carnegie Mellon University characterizes as an explicit attempt by attackers to prevent legitimate users of a service from using that service.

CERT gives a number of examples of how this might be achieved:

  1. "flood" a network, thereby preventing legitimate network traffic. In practice, it is this technique which is used by the likes of Anonymous
  2. disrupt connections between two machines, thereby preventing access to a service
  3. prevent a particular individual from accessing a service
  4. disrupt service to a specific system or person.

Malicious attackers most often create the avalanche of data required by using many computers spread across the internet, all flooding a single victim in a coordinated attack.

Hence, it becomes a Distributed Denial Of Service attack. Sometimes this coordination is voluntary, with hacking groups all using similar tools to fire data at a victim.

Groups such as Anonymous have developed their own tools to help their supporters do this.

LOIC

First they began with the rather grandly named Low Earth Orbit Ion Canon (LOIC), after which they progressed to the similar High Earth Orbit Ion Canon (HOIC). These tools make it horribly easy for a user, including a non-technical participant, to attack (or "lazer") a victim.

Although these attack were outlawed in the UK in the Police and Justice Act 2006, carrying a sentence of up to 10 years in prison, often the coordination is involuntary and those participating in the attack may not even know they are contributing to the data tsunami hitting a victim's system.

This is achieved by infecting machines with a piece of malware that can be controlled by the hackers remotely, to generate the data and send it to specific targets. One of the best known examples of this was the MyDoom worm.

DDOS attack

Not only do those contributing not necessarily know they are part of the attack, but if the attack is launched from one country on another, the jurisdictional issue become a nightmare.

A good example was the attack launched on Interpol on 28th February 2012, which when analyzed, appears to have been a HOIC attack but with sources from across the globe.

It is easy to see that with enough computers engaging, either voluntarily or involuntarily, in an attack against a target, the victim can be overwhelmed. Whilst there are defenses against these attacks, DDoS remains one of the most problematical, yet easy to mount, attacks on the internet.

Which brings us to the DNS. This is one of the elements that turns the internet into the World Wide Web. It is essentially the phone book for the web.

We are all used to typing in names such as www.surrey.ac.uk into our browser, but the Internet actually knows this website as an IP address: 131.227.132.17.

The DNS is what your computer refers to in order to convert one to the other. The DNS is a tree structure that spreads across the internet and it begins at the top with 13 top level "domains" which pass data to the lower levels.

DNS

Worms such as MyDoom have us taught very important lessons and so, for example, the 13 top level domains are distributed across many physical systems, sometimes in different countries. An up to date view of what lies where and who is running it can be seen at www.root-servers.org

So, is this all a non-issue? Well, not quite.

Lower level DNS elements can be targeted by DDoS attacks and by doing enough of these, even with the redundancy in the DNS, you can start to cause some disruption.

It is highly unlikely you would decapitate the internet, but you could certainly gum up the works on a local basis.

However, there is a little talked about a aspect of DNS systems that can actually result in them becoming part of the attack rather than the victim. This "amplification attack", which was reported in a paper in 2006 [PDF], relies upon two facts:

  1. The response to a DNS lookup request returns far more data than is in the original request (up to 60 times).
  2. A request can spoof the address from which it comes, such that the answer is sent to a target machine.

Digital attack. Image from ShutterstockYou can see how if you have enough machines sending requests to a DNS server, all pretending to be a single machine, that the DNS can actually be obliged to help swamp a target with data.

If you usurp many DNS servers in this way, then you can produce an enormous amount of data, enough to flood whole networks.

There are ways to configure these DNS systems so that they cannot be used for such an attack, but this is not done as a matter of routine.

And, with ten million DNS servers now within the DNS structure on the internet you don't need much imagination to see how a large scale attack could be mounted.

So, with DDoS attacks being such a problem, and the DNS a possible source of such attacks, we need to think of the DNS not just as a vulnerable part of the internet infrastructure, but as something that could possibly be turned against the internet it is intended to serve.

Image sources: Wikipedia, PasteBin
Digital attack image and web browser image from ShutterStock

, , , , ,

You might like

7 Responses to Gumming up the internet: When DNS servers attack..

  1. Craig Williams · 932 days ago

    Please fix this sentence. These are different types of DoS attacks, they are not the same thing. There is not a pings of death attack. There is a single attack that was known as the ping of death attack against windows..

    Denial Of Service Attacks are known by a number of names: smurf attacks, pings of death, teardrop attacks are just some of them.

  2. This article seems to be an adaption of the original http://www.bbc.com/news/technology-17472447 . Notably, the embarassing mistake of describing "13 servers at the top level" has mutated to "13 top level domains", which is wrong as well (see http://en.wikipedia.org/wiki/List_of_Internet_top... for a list). Also, the alarmist view point has been toned down.

    It's still wrong, though (and not only in missing the number of TLDs, and curiously not mentioning the number of physical servers): Virtually every ISP filters IP packets by their outgoing address, and therefore only ISP-level devices can "fake" IP addresses. Therefore, only those special devices can initiate smurfing attacks on the internet; the average internet user (or bot) can not.

    To top it off, amplification of "up to 60 times" is not possible for the root servers: To accommodate broken IP fragmenting installations, the root servers keep all UDP replies to 512 Bytes. Since the minimal DNS query is 9 Bytes long (and there is a huge overhead in the IP and UDP headers anyways), that can't possibly work out.

    But even if the root servers could be shut off, this would affect virtually nobody due to the extensive caching mechanisms. Additionally, DDoS attacks against the DNS root servers are nothing new, prior attacks (against only 13 servers at the time) were basically unsuccessful. (See http://en.wikipedia.org/wiki/Distributed_denial_o... )

    All in all, I prefer this article to the BBC version due to reduced scaremongering. But it's still full of misinformation, and I'd expect better from naked security.

    • Actually the root servers can and do reply with responses larger than 512 bytes, they have to in order to support DNSSEC, which is why amplification is so effective. Just do dig +dnssec .

      • Oh, you're totally right.

        Assuming an attacker who abuses this fact and generates so much traffic that the root servers can't cope, the operators of the root servers could manually turn off DNSSEC or force these queries to go through TCP.

  3. Craig Williams · 932 days ago

    Additionally - https://xkcd.com/386/

  4. Alexander Kowalski · 931 days ago

    For those concerned about DNS attacks (especially redirect/DNS poisoning, &/or the stalling of the root 13 DNS primary servers (if not the arpa TLD that maintains the state of host-domain name translations to IP addresses))?

    You can utilize your local hosts file to help you during such an attack, & still have access to your favorite websites (bonus is, you'll also reach them FASTER since local resolution of hosts file data is FAR FASTER than calling out to remote DNS servers (especially possibly downed ones OR again, DNS poisoned redirected ones also)).

    You 1st have to "reverse DNS ping" (ping -a hostname (in Windows)) for your fav. websites & edit the hosts file and add these sites of yours in this form into your hosts file using a text editor:

    IP addressyourfavsite.com

    This will function as a local resolver for that site. Add away to your heart's content, the filesize can grow as much as you like/need for this.

    Periodically? You MAY have to 'reping' your fav. sites, but as a 'case-in-point'/example here? I "hardcode" in 250 of my fav. sites I visit online daily to weekly etc. the way I have noted here... of them, since 2006? Only 5 have changed their IP address (this does happen, as hosting providers get switched by websites 'shopping around' for a better deal etc./et al)... so, be aware of that much here.

    I have built this into a host file mgt. program that is being hosted soon by malwarebytes/hpHOSTS ( http://hosts-file.net/?s=Download ) per Mr. Steven Burn (a competent coder in his own right, & member of the security community - he says "it's excellent" per email correspondence we have had on this note/program).

    Should anyone doubt that? Write him yourself:

    services@it-mate.co.uk

    (The program does FAR more than just that, such as blocking out known malicious sites/servers online that serve up malicious content, but, what I noted above is also a feature of it too).

    In any event?

    The technique works, & will 'get you where you are going', even IF the DNS system were to be hijacked or downed completely.

    APK

    P.S.=> An ounce of prevention? Worth a POUND of 'cure'... hence, this tip from myself to anyone else interested on this note/account! apk

  5. Mike · 923 days ago

    Phone book fot the web? What's a phone book?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Professor Alan Woodward is a visiting professor at the University of Surrey's department of computing. He has worked for the UK government and still provides advice on issues including cybersecurity, covert communications and forensic computing. Read his personal blog at www.profwoodward.org and follow him on Twitter at @ProfWoodward.