New cyberattack technique inflicts major damage with modest means

During the cold war, supporters of high defense budgets used to talk about the spill-over effect: technology that was developed, with tax payer’s money, for military and intelligence purposes was soon deployed, with many benefits, in the civilian market (in evidence: the Internet). Here is a story which we may want to describe as offering an example of a reverse-spill-over effect: technology which has been successfully used in a segment of the civilian market may soon find its way to serving military and strategic purposes. Even before that happens, the technique may be added to attack kits now available for hackers.

Register’s Dan Goodin reports that A sustained cyber-attack against a handful of niche pornography sites has demonstrated a novel way to inflict major damage on hardened targets using a modest amount of data, a security researcher has warned. The technique — which tricks the Internet’s authoritative name servers into bombarding innocent victims with more data than they can handle — is growing increasingly common, and it is likely only a matter of time before commercial attack kits add it to their arsenal, said Don Jackson, a researcher with Atlanta-based security provider SecureWorks. He also warned there is no easy fix because any remedy will potentially require settings for millions of DNS, or domain-name system, servers to be individually changed.

Goodin writes that the ongoing attacks on several sites related to transvestite porn work by sending hundreds of thousands of domain name servers (DNS) a steady stream of packets that contain little more than the character “.” The queries, which are forged so they appear to have been sent from sites such as ladyboydolls.com and triplexbonanza.com, prompt the DNS servers to respond to the targets with a list of the Internet’s root servers, responses that contain about eight times more data than the initial request. “The amplifiers in this attack are name servers configured to what is considered best practices,” Jackson told the Register. Preventing the attack will require administrators to make changes to the software running each vulnerable DNS server on the Internet, he added.

The attacks began in mid January and have used some 750,000 DNS servers to spew about 5 Gbps worth of junk response packets at one victim alone, said Phil Rosenthal, CTO of ISPrime, an Internet provider for one of the sites being attacked. Not bad work for a botnet that Jackson estimates is made up of fewer than 2,000 infected machines. The company has since been able to mitigate the attack using a variety of methods.

The amplification technique exploits an artifact in the Internet’s DNS from the days when it was considered harmless for a name server to respond to misdirected name queries with the name of a more appropriate server to make the request. Read together, RFCs 1034, 1035, and 1912 call for name servers that are queried for the location of the root servers to honor the request, Jackson and others say. “There’s really no reason to tell the requester that information,” said Randal Vaughn, a professor of information systems at Baylor University and an expert in DNS amplification. “The problem is more related to the fact that at one time DNS servers would need to ask each other for help. When name servers started out, there were assumptions made that requests are legitimate, so we’ll answer them.”