Millions of vulnerable routers could be inadvertently helping to fuel the escalation in massive DNS Amplification DDoS attacks

If you ever wanted proof of the growing sophistication and skill of cyber-criminals, then you need look no further than Distributed Denial of Service (DDoS) attacks. DDoS attacks let cyber-attackers temporarily suspend or crash the services of a host connected to the Internet. It had been thought that targeted security defences were sufficient to combat such threats, but hackers have unfortunately confounded most security procedures and have consistently managed to stay one step ahead of the game. Hackers upped the ante in 2013 by adopting new tactics which boost the size of DDoS attacks. These more-sophisticated threats, or ‘Amplification Attacks’, specifically target the weaknesses in UD protocols. Research has shown that by far the most common used tactic used by modern day hackers is (Domain Name System) DNS Reflection Denial of Service (DrDoS).

The DNS Reflection Denial of Service (DrDoS) technique exploits security weaknesses in the Domain Name System (DNS) Internet protocol. DrDoS attacks are able to exploit the weaknesses in Internet protocols and reset the source address to that of the targeted victim: what this means is that all the replies will go to the target and the target of the attack receives replies from all the DNS servers that are used. The problem with this type of attack is that it makes it very difficult to identify the malicious sources.

So just how serious has this problem become? Well, new research carried out by DNS providers, Nominum,  has revealed that the DNS-based DDoS amplification attacks have significantly increased in the recent months; what’s more hackers are now just targeting larger businesses, but are starting to use small office and home routers to amplify the bandwidth. The Nominum report worrying claims that more than 24 million home routers, the majority of which (800,000 routers) are located in the UK are vulnerable to various firmware flaws, which allow hackers to gain unauthorised access and modify DNS (Domain Name Server) settings.

Nominum claims such attacks could be exposing ISPs and their users to participate in massive Internet DNS-based Distributed Denial of Service (DDoS) attacks unknowingly. To illustrate the scale of the threat Nominum estimates that even a simple attack is capable of creating 10s of Gbps of traffic which can disrupt provider networks, enterprises, websites, and individuals anywhere in the world. Figures show that in February alone more than five million home routers were used to generate DDoS attack traffic, and in January, more than 70 per cent of total DNS traffic on one provider’s network was associated with DNS amplification. Nominum claims that the impact of amplification attacks on ISPs could potentially be massive, as malicious traffic not only consumes bandwidth, but also impacts on the reputation of the ISPs and increases support costs:

“Existing in-place DDoS defences do not work against today’s amplification attacks, which can be launched by any criminal who wants to achieve maximum damage with minimum effort,” claimed Sanjay Kapoor, CMO and SVP of Strategy, Nominum.

“Even if ISPs employ best practices to protect their networks, they can still become victims, thanks to the inherent vulnerability in open DNS proxies. ISPs today need more effective protections built-in to DNS servers. Modern DNS servers can precisely target attack traffic without impacting any legitimate DNS traffic.”

DDoS attacks have increased significantly as hackers have become more adept at working around the network security. In 2013 a massive 300Gbps DDoS attack was launched against the Spamhaus website which paralysed the Internet. In early 2014 hackers succeeded in launching a massive DDoS attack which targeted the European data servers of content-delivery and anti-DDoS protection firm, CloudFlare, reaching more than 400Gbps at the peak of its traffic.  In March, 2014, the US-CERT also issued an alert warning, listing certain UDP protocols which were identified as at potential risk from Amplification Attack, including DNS, NTP, SNMPv2, NetBIOS, SSDP, CharGEN, QOTD, BitTorrent, Kad, Quake Network and Protocol Steam Protocol.

What can be done to minimise the risks? Well, to reduce the threat of DrDoS attacks users
are advised to change the default username and password of their routers and ensure that they have updated router firmware installed with security patches. To further reduce the threat, routers should only be accessible from the local network or LAN. On a broader note it is recommended that businesses get expert advice from information security experts like KRYPSYS. KRYPSYS’ services are focused on helping companies assess their security posture against current and evolving security threats and advising on the risks to which they are exposed.

If your business needs help with security reviews, penetration testing or web security solutions, please contact Krypsys on 01273 044072 or [email protected].