“When nobody hates you, nobody knows you’re alive.” – Diplomacy, by Chris Smither
During the last week of July, a series of steadily escalating cyber attacks directed at my Web site and hosting provider prevented many readers from being able to reach the site or read the content via RSS. Sorry about that. What follows is a post-mortem on those digital sieges, which featured a mix of new and old-but-effective attack methods.
Junk traffic sent by a DNS amplification attack.
I still don’t know who was attacking my site or why. It’s not as if the perpetrator(s) sent a love letter along with the traffic flood. There was one indication that a story I published just hours before the attacks began — about a service for mass-registering domain names used for malware, spam and other dodgy business — may have struck a nerve: In one of the attacks, all of the assailing systems were instructed to load that particular story many times per second.
Oddly enough, the activity began just one day after I’d signed up with Prolexic. The Hollywood, Fla. based company helps businesses fend off distributed denial of service (DDoS) attacks, assaults in which miscreants knock targeted sites offline by flooding them with garbage traffic. Prolexic was among several anti-DDoS companies that offered to help earlier this year, when KrebsOnSecurity.com came under a separate spate of debilitating attacks.
The first DDoS campaigns consisted of several hundred systems repeatedly requesting image-heavy pages on my site. Prolexic’s analysts say the traffic signatures of these attacks matched that of a family of kits sold in the underground that allow anyone to quickly create their own botnet specifically for launching DDoS attacks. Both are believed to have been created by the same individual(s) behind the Dirt Jumper DDoS toolkit. The traffic signatures from the attack strongly suggest the involvement of two Dirt Jumper progeny: Di-BoTNet and Pandora.
Image courtesy Prolexic
Pandora is the latest in the Dirt Jumper family, and features four different attack methods. According to Prolexic, the one used against KrebsOnSecurity.com was Attack Type 4, a.k.a “Max Flood”; this method carries a fairly unique signature of issuing POST requests against a server that are over a million bytes in length.
Pandora’s creators boast that it only takes 10 PCs infected with the DDoS bot to bring down small sites, and about 30 bots to put down a mid-sized site that lacks protection against DDoS attacks. They claim 1,000 Pandora bots are enough to bring Russian search engine giant yandex.ru to a crawl, but that strikes me as a bit of salesmanship and exaggeration. Prolexic said more than 1,500 Pandora-infected bots were used in the assault on my site.
The third sortie was by far the largest, and employed a very effective method known as a DNS reflection attack. In such attacks, the perpetrators are able to leverage unmanaged DNS servers on the Web to create huge traffic floods.
Typically, DNS servers only provide services to machines within a trusted domain. But DNS reflection attacks rely on consumer and business routers equipped with DNS servers that are (mis)configured to accept queries from anywhere on the Web. Attackers can send spoofed DNS queries to these so-called “open recursive” DNS servers, forging the request so that it appears to come from the target’s network. That way, when the DNS servers respond, they reply to the spoofed (target) address. Indeed, I used this tool to check dozens of Internet addresses that were seen sending my site replies to spoofed DNS lookups, and all were home to open recursive DNS servers.
Open recursive DNS servers leveraged in the attack.
The bad guys also can craft DNS queries so that the responses are much bigger than the requests; they do this by taking advantage of an extension to the DNS protocol that enables large DNS messages. For example, an attacker could compose a DNS request of less than 100 bytes, prompting a response that is 60-70 times as large. This “amplification” effect is especially pronounced if the perpetrators query dozens of DNS servers with these spoofed requests simultaneously. And this is exactly the approach they used with the DNS attacks on my site.
The DDoS problem overall is not going away and seems to be worsening. As illustrated above, it’s never been easier to build your own DDoS bot army. The Pandora/Dirt Jumper bot toolkits are designed to allow miscreants to quickly conscript attackers and then dissolve the attacking army. And a proliferation of consumer-grade and SOHO routers deployed by ISPs that are unmanaged all but ensures the raw firepower for reflected DNS attacks will remain a nuisance for some time.
According to a recent report by Arbor Networks, DDoS attacks have grown 82% since June 2011. “The general availability of botnets and DDoS tools has led to larger, more frequent and more complex attacks,” the report notes. “Multi-vector attacks can take sites and services down, and keep them down, for longer periods.”