DDoS Attacks: Variant Foreseen in 2006DNS Attacks One of Methods Used Against Banks
No new distributed denial of service attacks against banks occurred during the week of Oct. 22. The hacktivist group claiming credit for the earlier string of attacks against 10 U.S. banks said it took the week off to observe an Islamic holiday. But additional attacks are expected, if past patterns are an indicator.
Meanwhile, one security vendor says it saw elements of these current DDoS attacks six years ago.
In April 2006, VeriSign identified the then-new type of DDoS attack known as a domain-naming-system reflector attack. A DNS reflector attack overwhelms a site's Web server with spoofed DNS responses. The vendor even published a white paper about the variant, based on traffic patterns it observed at the time.
"This wave of attacks is demonstrative of the continuing evolution of Internet security threats, both in terms of size and complexity," VeriSign wrote. "The purpose of calling attention to this increasing threat is to encourage organizations to begin taking the necessary steps to secure the Internet from this attack vector."
The DNS reflector attack remains relatively rare, but highly effective, says Matt Wilson, a strategic technologist and resident DDoS expert at VeriSign. And it's one of the DDoS methods used during the past several weeks in the attacks on banks, some industry experts have suggested.
"Reflector attacks are effective because you can amplify the traffic hitting the site," Wilson says. DNS reflector attacks can produce traffic five to 10 times more than a normal botnet. When that happens, defense is also five to 10 times more difficult.
"Unless you have tens of hundreds of gigs of capacity there, you can't protect against it," Wilson says. "The problem is scale."
Anatomy of Reflector Attacks
Traffic analyses into the recent wave of attacks on U.S. banks suggest more than one type of DDoS attack was going on at once. Jason Malo, a financial fraud consultant and analyst for CEB TowerGroup, says he believes DNS reflector attacks were used in a few of those attacks (see Bank Attacks: What Have We Learned?).
Wilson would not comment specifically about the recent bank attacks, but he did say DDoS events over the last two years support the notion that attackers are relying on more than one vector.
While typical DDoS attacks just flood sites with hits, DNS reflector attacks flood DNS servers with requests for information. "You don't attack the DNS authoritative server, but you use the reflector attack to maximize the traffic," Wilson says.
When too many requests come in, the server cannot handle the traffic.
"It's not a very common attack because you have to have some knowledge about how to set up the queries," he says. Within the DNS query, attackers create a record within the DNS server, and then the botnet sends packets to the server that have the same IP address as the targeted site.
Ultimately, these DNS reflector attacks are just another variant of a DDoS attack, Wilson says. But these attacks are successful because few organizations properly defend themselves, he says. It's too much traffic for an internal server to manage.
To enhance their defenses, organizations might try working with Internet service providers to see if some of the incoming request traffic can be blocked upstream, before it hits the server. "[But] there are some things their filters can't block or that they won't block," Wilson says.
In the end, Wilson and other industry experts recommend investigating cloud-based solutions that can handle the threat's scale.
So, what types of attacks does Wilson foresee causing the most damage in the coming year and beyond?
He says organizations can expect attacks aimed at Internet protocol version 6, also known as IPv6, and more web-application-focused attacks.
"The attacks of the future won't be worried so much about consuming huge amounts of bandwidth, but instead will be more fine-tuned, pinpointed attacks against a site's infrastructure," he says.
Application-level attacks are a big focus for DDoS vendors, Wilson says. These attacks are hard to detect and even more difficult to prevent because the traffic coming in so closely mimics legitimate traffic.
"That traffic can look just like real traffic, such as a search on the website," he says. "But the searches aimed at the site take up a lot of CPU on the backend, and ultimately take the site down."
Basic attacks designed to distract attention from other events, such as fraud, taking place in the background also will remain concerns, Wilson adds.
To prepare for DNS reflector attacks and other DDoS attack vectors, Wilson says the focus has to be on so-called intelligent routing. "That means you block traffic that you don't need," Wilson says.
"If you have a website, block DNS traffic to it," he says. "You don't need that stuff, so why not block it?"
Next Wave of Attacks
The hacktivist group known as Izz ad-din al-Qassam, which is taking credit for the DDoS hits, announced in an Oct. 23 Pastebin post it had halted attacks in honor of Eid al-Adha, a three-day holiday. The group did not say when it might resume attacks, but it did state that its sole interest is disruption - not to commit fraud.
"We have already stressed that the attacks launch only to prevent banking services temporarily throughout the day & there is no stealing or handling of money in our agenda," the group posted. "So if others have done such actions we don't assume any responsibility for it. Every day we are giving a compulsive break to all employees of one of the banks & its customers."