DDoS attacks rise as companies fail to address DNS security

High-profile DNS amplification attacks have taught attackers how to become better at denial-of-service attacks, but organisations largely haven't learned their lesson.
Written by Michael Lee, Contributor

Distributed denial-of-service (DDoS) attacks have scaled up in the past year, according to Arbor Networks' latest Infrastructure Security Report (PDF), and many attackers are learning from each other to meet their objectives.

Those surveyed in the study, around 220 operational security professionals, reported that DDoS attacks are the number one threat against their infrastructure.

Attackers are thought to be ideological hacktivists, mostly targeting the customers of those hosting infrastructure, but the report states that attacks against infrastructure providers themselves are increasing.

"Last year, we saw eight times the number of attacks over 20Gbps when compared to 2012. In short, attackers seem to have refocused on utilising large volumetric attacks to achieve their goals," report co-author and Arbor Networks solutions architect Darren Anstee said.

The problem is compounded by the increase in DNS amplification attacks. Such attacks allow attackers to make several requests to an open DNS server, but with the requesting IP forged to their victim. The server then responds to the victim with the requested information, unaware that they did not actually ask for it. As the size of the response from the server can be many times the size of the request, this assists attackers in amplifying how much damage they can do.

Over a third of respondents claimed that their DNS infrastructure had been abused in this manner, up from 25 percent the previous year. Yet, the report notes that 26 percent of respondents do not have someone formally overseeing DNS security in their organisation — an increase from 19 percent last year.

Open DNS servers in many cases could be closed off from general use, preventing an attacker from abusing them for DDoS attacks; however, report co-author and consulting engineer at Carrier Group Andrew Cockburn said that the number of open resolvers has not decreased since last year. He said he was surprised, considering the high-profile attack on Spamhaus last year, which used DNS amplification.

While organisations are not doing anything to address the issue, attackers, on the other hand, are.

"Even after the Spamhaus attack, which was very well publicized, we saw a large number of copycat attacks in the months following," Cockburn said.

"Twenty percent of our respondents do not restrict recursive lookups, which when extrapolated to the entire base of DNS resolvers, makes for rich pickings among those that are interested in launching this kind of attack."

Editorial standards