How massive DDoS attacks leverage the Internet’s DNA

March 10th, 2014

sh_DDoS glove425pxBy Byron Acohido, Last Watchdog

The bad guys are taking full advantage of the squishy parts of the Internet’s DNA. The result: massive DDoS attacks are disrupting Internet commerce, and slowing down the speed of the web.

Meetup.com, the popular community groups’ hub with 16 million users, was recently destabilized for several days by a gargantuan DDoS assault.

The Meetup incident followed disclosures of two Web-shaking DDoS attacks that took all-hands-on-deck efforts to quell by U.S. security firm CloudFlare and French hosting company OVH, respectively.

Meanwhile, the daily rounds of DDoS assaults launched by ideologues and extortionists continue to rise in magnitude, while sucking up vast amounts of the Internet’s  bandwidth. This is continuing even as companies and organizations are spending millions to defend against such attacks.

Security firm Sucuri on Monday reported the detection of compromised web servers hosting 162,000 legit WordPress blogs participating in a sustained DDoS attack directed at a single customer’s website.

“This really is an ongoing battle and we’re at a point like when gunpowder was first invented,” says David Holmes, senior security evangelist at F5. “The attackers have figured out that there are cool new ways to amplify their attacks.”

More: Q&A with Akamai CSO Andy Ellis on why DDoS is easy.

DDoS stands for distributed denial of service. DDoS campaigns inundate a targeted web site with nuisance requests, making the site inaccessible to the intended users.

The latest, greatest attacks are unprecedented in scale and intensity. In the early 2000s, a DDoS attack that sent nuisance traffic to your website at the rate of 10 gigabytes per second, could knock your site offline.

Growth curve

One year ago (March 2013) a DDoS campaign bombarded the anti-spam website SpamHaus with nuisance traffic arriving at 300 gigabytes-per-second. Not only did that knock the heavily fortified SpamHaus off line, it also slowed down Internet service across Europe.

Now consider this: so-called volumetric DDoS attacks that security firms CloudFlare and Prolexic (which was  recently acquired by Akamai for $370 million) are defending against have begun topping 400 gigabits per second.

Prince

Prince

“A 100 gigabyte per second attack doesn’t even wake up our operations team anymore,” says Matthew Prince, CloudFlare’s CEO. “But a 400 gigabyte per second attack certainly does.”

The good guys are scrambling to absorb and thus mitigate volumetric DDoS attacks, which can last for hours, days or longer — and spill over and clog wide swaths of the Internet.

It used to be de rigueur for an attacker to direct a network of, say, 10,000 infected computers, which he might otherwise be using to spread spam, to directly and continually send nuisance requests  to the targeted website until it shut down.

But companies like Prolexic and CloudFlare came along with systems to help companies absorb such nuisance traffic, and thus keep sites under DDoS attack accessible to its legit users.

Pumping up the volume

So the bad guys have found a way to pump up the volume by turning the attack sequence topsy turvy.

Instead of sending botnet traffic directly to the target, they begin by spoofing  the URL address of the targeted web site in such a way that the routine exchange of basic data that makes websites appear in our browsers goes wildly haywire.

They do this by manipulating the Domain Name System and Network Time Protocol, two of the Internet’s squishy cornerstones.

DNS servers are the web’s phone book; they resolve URL addresses that humans can read, such as acme.com, into a specific IP address, such as 12.34.567.8.  NTP servers make it possible to synchronize the time clocks on  all of the computers in a given network to a main server.

In a DNS amplification attack, the attacker tricks DNS servers into sending the targeted website up to 50 times more traffic than they normally would, says Prince. A  NTP amplification attack works much the same way, but with intensified firepower. A loosely configured NTP server can be tricked into issuing traffic aimed at a targeted website at a volume 200 times greater than it should, says Prince.

Why is this so? It’s because the Internet was conceived and created as a military/academic experiment in distributed computing where anonymity was built in, and all participants were assumed to be trustworthy.  It’s founders never intended the Internet to be a globe-spanning, highly-authenticated, highly-secure commercial network.

“The ability to launch these attacks has been latent in the network since almost the birth of the Internet,” Prince says.

The bad guys have finally gotten around to focusing on these gaping vulnerabilities. Prolexic reports that DDoS attack volume increased month-to-month in 2013 with a 30% spike in volumetric attacks.

And data centers are increasingly becoming the focus of DDoS attacks. A  recent survey from network monitoring and security vendor Arbor Networks found 70 % of centers experiencing a rise in attacks in 2013, with multiple respondents reporting large DDoS attacks above 100 gigabytes per second.

Small business stop gap

Small businesses with meager resources are vulnerable, as well. One basic precaution small businesses that maintain their own web servers can take it to consider use of virtual private servers says John Zurawski, Vice President of Sales and Marketing at authentication vendor Authentify.

“A virtual private server is a hybrid between dedicated servers and shared hosting,” Zurawski explains. “You have your own copy of the OS, your own server partitions and you can control what applications are installed as opposed to shared hosting. “

Meanwhile, the spike in volumetric attacks has served as a wake up call to ISPs and hosting companies to tighten down security of DNS and NTP servers.

“What’s worrisome is that these latest rounds are exploiting reflectors that are fundamental to Internet functionality,” says Andy Ellis, CSO at content delivery giant Akamai Technologies, adding that “the loss of DNS and NTP would be critical indeed.”

Even as more work is done to shore up DNS and NTP, the bad guys look to be in good shape to maintain the upper hand, with respect to finding and exploiting numerous other squishy parts of the Internet’s foundations, says Internet pioneer Paul Vixie, CEO of Farsight Security.

Universal fix?

Vixie

Vixie

Vixie should know. He helped create the non-profit Internet Systems Consortium and is the principal author of BIND DNS, the most widely used DNS server software on the Internet.

Amplified attacks akin to the DNS and NTP reflection bombardments now clogging the Internet can be traced back to the almost universal practice of failing to verify the source address of a packet of data that is received and forwarded, he says.

Vixie maintains that this core component of how the Internet is architected — it’s root DNA, if you will –  makes it easy for attackers to spoof packets in endless clever ways that can trigger volumetric DDoS traffic.

When the Internet was created, there was no need to validate the source addresses of the small cadre of military and academic participants, who all knew each other, trusted each other  and kept each other accountable.

Today, the Internet has evolved into the world’s digital distribution vehicle. Anonymity, for better or worse, is baked in. There’s no putting the genie back in the bottle. And arguably the most troubling aspect is that no major player has an incentive to be the first to begin source address validation.

“When you weigh the costs and benefits of adding equipment, doing the training and changing configurations, and then you ask the question, ‘where are the offsetting benefits?,’ there really are none,” observes Vixie. “Everyone gets safer. But you get nothing.

“The only universal fix is all about forcing other people’s networks to do source address validation,” Vixie asserts. “If you do it (source address validation) you’ll increase costs and risks and the benefits goes to others.”