How should CSPs tackle DDoS attacks? By: Carl Braden, Sr. Dir, Nominum

Monitoring DNS queries in real time will help operators tackle DDoS attacks effectively

Carl_Braden_Nominum

Carl Braden, Sr. Dir, APAC, Nominum

Within India there are currently 1.2 million home routers and modems with open DNS proxies, exposing telecom operators in the country to a new wave of amplification attacks with the potential to take down websites and other resources.

Research from Nominum shows there are 24 million home gateways around the world with this vulnerability, making them a prime target for hackers launching distributed denial of service (DDoS) attacks on a variety of Internet resources including websites and even networks themselves. The nature of these DNS amplification attacks means that the proxy used does not even have to be in the same country as the attacker or intended target.

DNS amplification attacks utilize DNS – one of the building blocks of the Internet – to create massive volumes of attack traffic flooding resources and networks. An effective DDoS attack will take the service offline completely and an unsuccessful one still has the potential to slow network speeds and generate a spate of user complaints.

The attack starts as the criminal masquerades as a target website sending a small request to a vulnerable router. The router then passes this request to an ISP resolver which sends a response – many times larger than the original request – to the target website. The amount of resulting traffic can be tens of gigabits per second, amounting to trillions of bits over the course of an attack. The target servers are unable to cope with this deluge of data and service could be suspended as a result.

While DDoS attacks used to be the preserve of highly technologically-literate hackers, who could command a botnet army of compromised devices to flood a target’s servers with traffic, the new generation of DDoS attacks focuses on a fundamental weakness in the Internet’s infrastructure – home gateways, such as modems and routers, which connect to Open DNS proxies. This makes the method available to a greater number of criminals who need fewer resources to launch very large attacks.

Although the service providers themselves are rarely the end target, the impact on operators is extremely significant as the vast amount of useless traffic on the network slows access speeds, which can lead to customer complaints and churn. It can also damage its reputation with peers as the infrastructure used for the attack can be identified.

The answer to today’s wave of amplification attacks is to use protections and best practices based around the DNS protocol itself. There are now sophisticated tools available that allow organisations, such as ISPs to monitor DNS queries in real-time. This provides instant analysis to providers to enable them to identify and stop an attack in its tracks.

Key ways service providers can protect their network integrity from an attack include: Employing fine grained rate limits to target legitimate domains used for amplification; Utilize dynamic threat lists to block “purpose built” amplification domains, vetted to eliminate false positives; Use rate limits based on response size to catch malicious traffic not caught by other filters; Deploy truncated responses to ensure legitimate clients will get answers; and Log DNS data for forensics.

In a recent study of the anatomy of an attack, Nominum found one three day attack can cause 40 trillion bytes of unwanted traffic totaling 72.5 percent of the total traffic on any network. This has the potential to be a destructive problem for ISPs, which they are in a unique position to prevent.

Carl Braden is senior director, APAC at Nominum. He has spent more than eight years at Nominum and has grown Asia Pacific team significantly by securing sizable contracts and customers in all major markets in the region. He has spent his career in telecommunications and IT and has assisted and enable carriers to establish upgrade and transition projects in the areas of DNS, DHCP, VoIP, advanced network security applications, cloud services and migrate DNS solutions in wireless mobility networks from 2G through to LTE.

Leave a Reply

%d bloggers like this: