Anti-DDoS Service Abused to Send DDoS Attack of 1.5 Billion Packets Per Minute
Distributed Denial of Service (DDoS) attack methods in the past were the occasional overload of servers by a large number of compromised systems or servers sending large amounts of packets at rapid rates. In the recent months DDoS attack methods have taken a turn and are starting to send unbelievable attack requests.
Recently hackers have taken new DDoS techniques into account, such as NTP and DNS Amplification DDoS attacks. Just a few months ago, cyber criminals attacked CloudFlare with the largest DDoS attack to date, at 400Gbs, with an NTP reflection based DDoS attack.
A new report released by website security firm, Incapsula, investigated another large scale DDoS attack in which an attacker abused two major anti-DDoS service providers to carry out a massive DDoS attack on a number of other websites.
Researchers noticed a surge in massive DNS DDoS attacks on one of its clients. The attack was peaking at approximately 25Mpps (Million packets per second). Researchers reported, “With multiple reports coming from different directions, and with several large scale attacks on our own infrastructure, we are now convinced that what we are seeing here is an evolving new trend – one that can endanger even the most hardened network infrastructures.”
The hacker abused a DNS DDoS attack, which is completely different and far superior from previously and most commonly used DNS amplification attacks, both in the method of attack and in how the attack is delivered.
DNS amplification attacks are asymmetrical DDoS attacks in which the attacker sets the source address to that of the victim by spoofing the IP address of the target. This means the victim/target will receive the attack from all of the DNS servers that are used, making it a much larger DNS response. “With these attacks the offender’s goal is to achieve network saturation by continuously exhausting the target’s bandwidth capacity,” Incapsula wrote.
DNS amplification attacks are completely different from DNS DDoS attacks. DNS DDoS attacks are evenly distributed DNS floods in which the attacker tries to exhaust the servers hardware with large amounts of UDP requests generated by malicious scripts executed on a number of comprised machines. Packets send per second in this method of attack, which in turn makes it larger than DNS amplification attacks.
“With DNS amplification, the effectiveness of an attacker’s own resources is increased by anywhere from 300% to 1000%, which means that large attacks could be initiated by relatively small botnets”, says the report. “On the other hand, with DNS floods there is no multiplier to speak of at all. This means that, in order to generate a DNS flood at the rate of 25Mpps, the offender needs access to an equally powerful botnet infrastructure.”
By abusing the same DNS DDoS attack, the hacker successfully sent malicious requests through two different servers at a 1.5 billion DNS requests per minute. Of the ongoing 7 hour attack, hackers succeeded in sending over 630 billion requests in total.
Both servers abused in the attack belonged to anti-DDoS service providers, one based in Canada, and the other in China. Incapsula has since notified the providers after the attack had stopped, and both firms dropped the clients responsible for the attack.
“Malicious misuse of security solutions is anything but new. However, this is the first time we encountered ‘rogue’ scrubbing servers used to carry out large-scale DDoS attacks. This fact, combined with the inherit danger of non-amplified DNS floods, is what makes these attacks so devastatingly dangerous,” the researchers stated.
DNS amplification DDoS attacks can be depleted by stopping unexpected DNS responses through port 53. Where DNS DDoS attacks using DNS floods are far to difficult to defend against as the traffic looks legitimate and it is not possible to drop DNS queries to mitigate an attack. Attacks can be defended when individually processed at sever level, but such process is difficult to succeed in. In turn, DNS floods depend on the attackers own resources.
Distributed Denial of Service attack methods seem to be growing at rapid rates, and attacks appear to get larger each day. It appears DDoS trends will not stop and attackers will find every weakness in infrastructures to create larger attacks.