In recent months, there have been large-scale and ongoing attacks against several DNS infrastructure providers, using a newly discovered method that enables the bad guys to greatly amplify the amount of attack traffic they can throw at their targets.
According to Rodney Joffe, chief technology officer of UltraDNS Corp, this is causing concern from some government officials that these attacks could be used by a certain class of bad guy - the class that has no interest in the continued operation of the internet.
Joffe was due to give a briefing on the topic to a meeting of the Internet Corp for Assigned Names and Numbers in Wellington, New Zealand recently, but was called back to Washington DC at the last minute to brief US officials, apparently including at least one "cabinet level" official.
The concern comes after a series of attacks that are believed to have started in December and spiked in February, but which are ongoing. The attackers have used the DNS as both the target and the weapon, due to a relatively new technique known as DNS amplification.
In a typical distributed DoS attack, the bad guy uses a network of "bots", hacked home computers under his covert control. He typically creates his bots with worms or Trojans spammed via email, though it is possible to simply buy botnet capacity on the black market.
Once the botnet is under his control, the attacker can instruct the machines to send spurious traffic to the target of his choosing. With enough bots, sufficient bandwidth can be amassed to take down smaller sites. The technique is often used to extort money, or in tit-for-tat hacker gang wars.
But with a high-profile target, like a big company or a critical piece of DNS infrastructure such as the .com name servers, the target has to fill bigger pipes, and has more layers of defense to push through, to cause downtime.
DNS amplification attacks use IP address spoofing and a feature of the DNS called recursion to enable the attacker to direct significantly more traffic against their targets, enough to get DNS service providers and their political overseers worried.
"We're seeing some very deliberate attacks against some high profile targets right now, to showcase the talent of the attacker, so they can get work for the Russian mafia or whoever it may be," said Paul Vixie, president of the Internet Systems Consortium, which makes the BIND DNS software.
These amplification attacks work because it is easy for any home PC to spoof its source IP address when it sends out a packet, and because there are millions of DNS servers out there that will answer any DNS query sent to them, using a standard process known as recursion.
For the attack to work, the attacker needs to be in control of a DNS record. This is trivially easy to set up. The TXT field of that record is then filled to capacity, which is about 4,200 bytes. This 4,200-byte chunk of garbage is the sledgehammer that will be used to hit the target.
The attacker instructs his bots to execute lots of requests for the sledgehammer record, against lots of open recursive name servers. The bots spoof the source IP address of these requests, making it look like the address of the target they wish to overload.
The recursive servers grab the 4,200-byte record from the attacker-controlled zone, and send it along to the IP address they think the request came from. They may even cache the data for future requests, making the attack all the more efficient for the attacker.
"In order to create an 8Gbps attack using carefully crafted zones, you need no more than 200 home PCs on basic DSL lines," Joffe said.
That math assumes about 200 bots eating up a full 512Kbps connection with lots of 60-byte DNS queries, each of which is amplified 70x into a 4,200-byte reply against the attacker's target.
To put that in perspective, Russian hacking crews advertise that they will place the malware of your choice on 1,000 bots for a mere $25, according to the Internet Storm Center.
With enough bots, enough requests, and enough recursive servers, attackers can quickly produce denial-of-service conditions at their target. Joffe estimates that about 50,000 recursive name servers were used in recent attacks.
The targets of recent attacks include UltraDNS itself. The company runs the infrastructure for several top-level domains, including .org and .uk, as well as providing DNS redundancy services for big names like Amazon.com and Oracle. VeriSign, which runs .com and .net, has also been hit.
These key parts of the DNS being shut down would be "the closest you could ever get to saying 'the internet is down', and being correct," Joffe said. If .com was taken out of action for a day, billions of dollars would be lost, he said. That's what the US is concerned about.
According to a report of ICANN's Security and Stability Advisory Committee, published recently, there was an attack against a "key TLD [top-level domain] name server operator" on February 5. The aggregate bandwidth deployed against the target was 1Gbps.
Because all the smart TLD operators have multiple name servers in multiple locations, all of which use the same IP address, the attack was spread out such that each interface on each server saw rather less attack traffic, or about 60Mbps.
This operator's first line of defense screened out half the attack packets, but the 30Mbps of attack traffic that made it through represented about 99.7% of all the traffic hitting the servers at that time.
Two days later, a second attack ate up 2.5Gbps of bandwidth. Both attacks lasted 14 minutes, and the operator has determined it was the same attack by the same attackers.
Vixie speculates that these attacks are crackers showing off, in order to get commissioned by organized crime gangs. Joffe said there is some concern that such attacks could be used by groups less interested in extortion than they are interested in disrupting economies. Terrorists, in other words.
As a result of the awareness of these attacks, the non-profit Internet Systems Consortium has been pressured into releasing a new version of BIND, the internet's dominant name server software, that has the recursion features turned off by default for the first time.
But ISC president Vixie insists that this will not solve the fundamental issues. "It's not really going to make any difference," he said. Open DNS recursion isn't the problem, he said, IP address spoofing is the problem.
"If I was in the business of attacking people, you could take away all the open recursive servers on the internet and I would still be able to make this attack sing," said Vixie. "Even if everyone took our new defaults tomorrow... it would still be trivially easy to launch attacks of a very similar nature."
Indeed, IP address spoofing is a problem not restricted to DNS amplification attacks. The watershed Mafiaboy attacks against CNN and eBay in February 2000 used a DDoS technique known as SYN-flooding, which also uses IP spoofing.
The solution, Vixie said, is for source IP validation to be implemented by ISPs. The best mitigation is for broadband providers to "insist that the packets their customers send them are coming from address they're given, and not any damn IP address they like," he said.
"It's not rocket science," he said. Source validation is featured on networking hardware from all the major vendors, such as Cisco and Juniper, Vixie said, but it is generally not turned on, despite years-old best practices documents saying it should be.
ICANN's security committee agrees. "The single action that would most significantly mitigate the effects of the kind of attack [would be for] all network service providers to perform source IP address verification at the edge", the organization said in its report.
This technique is outlined in the Internet Engineering Task Force document RFC 2827, published in May 2000. The document is also known as BCP 38, for Best Current Practices 38. ICANN recommends BCP 38 be adopted by network operators.
"It's very important that CTOs, network operators, ISPs, and those who've got general security roles in networks, that they understand what this weakness is and understand the recommendations on how to configure their equipment," ICANN president Paul Twomey said in a press conference. These recommendations are available for download from icann.org's front page.
