According to the new report released by a US based security solutions provider Incapsula, another interesting DDoS attack activities have been noticed by the researchers in which an attacker abused two major anti-DDoS Service providers to perform massive DDoS attack on other websites.
Its really EPIC that the services who should protect websites from DDoS attack, itself compromised to perform DDoS on other web services.
The researchers at the security firm noticed a surge of massive DNS DDoS attack on one of its client, peaking at approximately 25Mpps (Million packets per second).
“With multiple reports coming from different directions, and with several large scale
attacks on our own infrastructure, we are now convinced that what we
are seeing here is an evolving new trend – one that can endanger even
the most hardened network infrastructures,” reads the report.
This time, hacker used the DNS DDoS attack,
which is totally different and more responsive from the previously most
commonly used DNS amplification attack by the hackers, both in their
methods of execution and in the type of trouble they aim to deliver.
DNS amplification attack is an asymmetrical DDoS attack
in which the attacker set the source address to that of the targeted
victim by using spoofed Internet Protocol (IP) of the target, which
means the target receives the replies from all the DNS servers that are
used, making it the recipient of much larger DNS responses. “With these attacks the offender’s goal is to achieve network saturation by continuously exhausting the target’s bandwidth capacity,” Incapsula wrote.
But its totally different in the case of DNS DDoS attack as DNS floods are symmetrical DDoS attacks in which the attacker tries to exhaust the server-side assets (for e.g., memory or CPU) with the large number
of UDP requests generated by the malicious scripts running on several
compromised botnet machines. The packets sends per seconds are even
larger in this case compare to DNS amplification attack.
“With DNS amplification, the
effectiveness of an attacker’s own resources is increased by anywhere
from 300% to 1000%, which means that large attacks could be initiated by
relatively small botnets”, says the report. “On the other hand,
with DNS floods there is no multiplier to speak of at all. This means
that, in order to generate a DNS flood at the rate of 25Mpps, the
offender needs access to an equally powerful botnet infrastructure.”
By using the same DNS DDoS attack, the
hacker succeeded in sending the malicious requests through two
different servers at a rate of 1.5 Billion DNS queries per minute,
amounting to over 630 Billion requests during the course of the 7
hour-long DDoS attack.
Both the servers used by the attacker belongs to anti-DDoS service providers,
one of which is based in Canada and the other in China. After
acknowledging the attack, Incapsula informed both the anti-DDoS vendors,
which then dropped the responsible clients from using their services.
“Malicious misuse of security solutions is anything but new. However, this is the first time we encountered “rogue” scrubbing servers used to carry out large-scale DDoS attacks.
This fact, combined with the inherit danger of non-amplified DNS
floods, is what makes these attacks so devastatingly dangerous,” the researchers said.
DNS Amplification DDoS attack could be defended by dropping all unexpected DNS responses to port 53, whereas DNS Flood queries are difficult to differentiate
from the legitimate DNS queries, and it is not possible to drop all DNS
queries in order to migrate the attack. However this could be filtered
when individually processed at the server level, but such process is
practically very difficult to execute. Thankfully, the Impact of DNS
Flood attack depends upon the capacity of the attacker’s own resources.
No comments:
Post a Comment