Till Now the Internet was encountering the traditional Distributed Denial of Service (DDoS) attacks, where a large number of compromised systems use to flood servers with tremendous amount of bandwidth; but in past few months we have noticed massive change in the techniques of DDoS attack.
Hackers are using creative, but evil DDoS techniques such as NTP and DNS Amplification DDoS attacks. Last month we have seen that how cybercriminals abused a vulnerability in one of the biggest Chinese video hosting website Sohu.com to convert their millions of visitors to participate into the Layer 7 (Application Layer) DDoS attack with 20 Million requests.
According to the new report released by a US based security solutions provider Incapsula, another interesting DDoS attack activities have been noticed by the researchers in which an attacker abused two major anti-DDoS Service providers to perform massive DDoS attack on other websites.
Its really EPIC that the services who should protect websites from DDoS attack, itself compromised to perform DDoS on other web services.
The researchers at the security firm noticed a surge of massive DNS DDoS attack on one of its client, peaking at approximately 25Mpps (Million packets per second).
"With multiple reports coming from different directions, and with several large scale attacks on our own infrastructure, we are now convinced that what we are seeing here is an evolving new trend - one that can endanger even the most hardened network infrastructures," reads the report.
This time, hacker used the DNS DDoS attack, which is totally different and more responsive from the previously most commonly used DNS amplification attack by the hackers, both in their methods of execution and in the type of trouble they aim to deliver.
DNS amplification attack is an asymmetrical DDoS attack in which the attacker set the source address to that of the targeted victim by using spoofed Internet Protocol (IP) of the target, which means the target receives the replies from all the DNS servers that are used, making it the recipient of much larger DNS responses. "With these attacks the offender's goal is to achieve network saturation by continuously exhausting the target's bandwidth capacity," Incapsula wrote.
But its totally different in the case of DNS DDoS attack as DNS floods are symmetrical DDoS attacks in which the attacker tries to exhaust the server-side assets (for e.g., memory or CPU) with the large number of UDP requests generated by the malicious scripts running on several compromised botnet machines. The packets sends per seconds are even larger in this case compare to DNS amplification attack.
"With DNS amplification, the effectiveness of an attacker's own resources is increased by anywhere from 300% to 1000%, which means that large attacks could be initiated by relatively small botnets", says the report. "On the other hand, with DNS floods there is no multiplier to speak of at all. This means that, in order to generate a DNS flood at the rate of 25Mpps, the offender needs access to an equally powerful botnet infrastructure."
By using the same DNS DDoS attack, the hacker succeeded in sending the malicious requests through two different servers at a rate of 1.5 Billion DNS queries per minute, amounting to over 630 Billion requests during the course of the 7 hour-long DDoS attack.
Both the servers used by the attacker belongs to anti-DDoS service providers, one of which is based in Canada and the other in China. After acknowledging the attack, Incapsula informed both the anti-DDoS vendors, which then dropped the responsible clients from using their services.
"Malicious misuse of security solutions is anything but new. However, this is the first time we encountered "rogue" scrubbing servers used to carry out large-scale DDoS attacks. This fact, combined with the inherit danger of non-amplified DNS floods, is what makes these attacks so devastatingly dangerous," the researchers said.
DNS Amplification DDoS attack could be defended by dropping all unexpected DNS responses to port 53, whereas DNS Flood queries are difficult to differentiate from the legitimate DNS queries, and it is not possible to drop all DNS queries in order to migrate the attack. However this could be filtered when individually processed at the server level, but such process is practically very difficult to execute. Thankfully, the Impact of DNS Flood attack depends upon the capacity of the attacker's own resources.
As we all have seen that DDoS trend is changing and to perform massive DDoS attacks, hacker are using every tantrum by leveraging the weakness of different protocols and boosting the sizes of Distributed Denial of Service (DDoS) attack.