More than 24 million routers around the world could be used by cybercriminals to launch massive distributed denial of service (DDoS) attacks, a study has revealed.
In February 2014, more than 5.3 million of these routers were used to generate attack traffic, according to the research, which concludes that highly targeted DNS defences are required to fill the security gaps.
During an attack in January 2014, more than 70% of total DNS traffic on a provider’s network was associated with DNS amplification.
The attacker turns a small DNS query into a much larger payload directed at the target network.
This is achieved by pretending to be the target network using IP address spoofing and sending a request to a vulnerable router, which passes on the request to an ISP’s DNS server.
But the DNS server will give a response that is much larger than the original request, and that amplified response is passed to the target, which appears to have made the request.
Read more about DDoS attacks
- Neustar to host first DDoS awareness day
- Thirteen plead guilty to Anonymous DDoS attack on PayPal
- DNS amplification, application-layer attacks drive DDoS attack trends
- DDoS attacks more than treble in the past year, report reveals
- Largest Bitcoin exchange reports heavy DDoS attack
- New threat portal pegs DDoS attacks at 2,570 a day
- DDoS attacks up in size, speed and complexity, study finds
By using a botnet of thousands of hijacked computers to make requests using IP address spoofing, attackers can carry out disruptive DDoS attacks that swamp ISP networks and websites.
Nominum notes that DNS is the most popular protocol for launching amplification attacks and that DNS amplification attack can cause major damage, while requiring little skill or effort.
For this reason, the research indicates that DNS-based DDoS amplification attacks have significantly increased in the recent months.
A simple attack can create 10Gbps of traffic to disrupt provider networks, enterprises, websites, and individuals anywhere in the world, said Nominum.
Traffic from amplification amounts to trillions of bytes a day disrupting ISP networks, websites and individuals, the research showed.
But because vulnerable routers mask the target of an attack it is difficult for ISPs to determine the ultimate destination of amplified traffic.
The amplified traffic also has a costly impact on ISPs because it clogs networks, damaging an ISPs reputation and customer satisfaction, and causes spikes in support calls about service disruption.
“Existing in-place DDoS defenses do not work against today’s amplification attacks, which can be launched by any criminal who wants to achieve maximum damage with minimum effort,” said Sanjay Kapoor, senior vice-president of strategy at Nominum.
“Even if ISPs employ best practices to protect their networks, they can still become victims, thanks to the inherent vulnerability in open DNS proxies,” he said.
According to Kapoor, ISPs need more effective protections built-in to DNS servers to enable them to target attack traffic proactively without impacting any legitimate DNS traffic.