Millions of routers open to criminal exploitation, study shows

More than 24 million routers worldwide could be used by cyber criminals to launch DDoS attacks, a study shows

More than 24 million routers around the world could be used by cybercriminals to launch massive distributed denial of service (DDoS) attacks, a study has revealed.

These routers have open domain name system (DNS) proxies that expose internet service providers (ISPs) to DNS-based DDoS attacks, according to research by telecoms software firm Nominum.

In February 2014, more than 5.3 million of these routers were used to generate attack traffic, according to the research, which concludes that highly targeted DNS defences are required to fill the security gaps.

During an attack in January 2014, more than 70% of total DNS traffic on a provider’s network was associated with DNS amplification.

A DNS amplification attack is a reflection-based DDoS attack in which the attacker spoofs look-up requests to DNS servers to hide the source of the exploit and direct the response to the target.

The attacker turns a small DNS query into a much larger payload directed at the target network.

This is achieved by pretending to be the target network using IP address spoofing and sending a request to a vulnerable router, which passes on the request to an ISP’s DNS server.

But the DNS server will give a response that is much larger than the original request, and that amplified response is passed to the target, which appears to have made the request.

By using a botnet of thousands of hijacked computers to make requests using IP address spoofing, attackers can carry out disruptive DDoS attacks that swamp ISP networks and websites.

Nominum notes that DNS is the most popular protocol for launching amplification attacks and that DNS amplification attack can cause major damage, while requiring little skill or effort.

For this reason, the research indicates that DNS-based DDoS amplification attacks have significantly increased in the recent months.

A simple attack can create 10Gbps of traffic to disrupt provider networks, enterprises, websites, and individuals anywhere in the world, said Nominum.

Traffic from amplification amounts to trillions of bytes a day disrupting ISP networks, websites and individuals, the research showed.

But because vulnerable routers mask the target of an attack it is difficult for ISPs to determine the ultimate destination of amplified traffic.

The amplified traffic also has a costly impact on ISPs because it clogs networks, damaging an ISPs reputation and customer satisfaction, and causes spikes in support calls about service disruption.

“Existing in-place DDoS defenses do not work against today’s amplification attacks, which can be launched by any criminal who wants to achieve maximum damage with minimum effort,” said Sanjay Kapoor, senior vice-president of strategy at Nominum.

“Even if ISPs employ best practices to protect their networks, they can still become victims, thanks to the inherent vulnerability in open DNS proxies,” he said.

According to Kapoor, ISPs need more effective protections built-in to DNS servers to enable them to target attack traffic proactively without impacting any legitimate DNS traffic.

Read more on Hackers and cybercrime prevention