Spamhaus attack creates digital tremors on cyberspace

Close on the heels of hackers paralyzing South Korean banks and broadcasters early last week- a huge DDoS attack had started attacking servers the last few days worldwide and thus leading to slow Internet speeds. The alleged attacker - most believe is an entity called -Cyberbunker- obviously miffed by anti-spam organization Spamhaus efforts in putting a clamp on spammers and Cyberbunker is also one among them.

The Spamhaus Project is an international nonprofit organization whose mission is to track the Internet's spam operations and sources, to provide dependable real-time anti-spam protection for Internet networks, to work with Law Enforcement Agencies to identify and pursue spam gangs worldwide.

Quentin Jenkins of Spamhaus writes," It certainly is the biggest attack ever directed at Spamhaus. Many organizations are not open about the fact that they are attacked at all, let alone about techniques or traffic volumes used in the attack. Spamhaus understands their business and security concerns. However, we feel it is in the best interest of the Internet as a whole to openly discuss the DDoS cyber threat and ways to resolve it.

But how did an attack aimed at a group slowed done the Internet across the world and it impacted media streaming and sharing sites- from Netflix to You Tube? Actually it is the peripheral effects overall Internet users are facing. In this case the attackers used large volumes of data towards Spamhaus servers- a BBC reports says that the servers at Spamhaus received up to 300Gb/s through a technique called ‘DNS Reflection'.

So what is a DNS Reflection? According to Greg Lindsay, Senior Technical Writer - Windows Server, Microsoft Corporation in a paper written last year at Security Tech Center says: "A DNS amplification attack (aka DNS reflection attack) is a type of distributed denial of service (DDos) attack that takes advantage of the fact that a small DNS query can generate a much larger response. When combined with source address spoofing, an attacker can direct a large volume of network traffic to a target system by initiating relatively small DNS queries."

"The amplification factor in this type of attack depends on the type of DNS query and whether or not a DNS server (used as a middleman in the attack) supports sending large UDP packets in a response, which is a feature intended to optimize DNS communications. If a DNS server does not support large (>512 bytes) UDP packets in a response, it can revert to TCP. This reduces the effectiveness of an amplification attack because TCP is much less vulnerable to source address spoofing."

Cleary the data congestion that led to a cascading effect all across the net. And answering the fundamental question: Can big attacks cause issues for other parties- Quentin Jenkins says, "Certainly. Core internet infrastructure may be overwhelmed by the amount of traffic involved in an attack. When that happens, all traffic that passes through that part of the Internet is impacted. Compare it to a big highway: If a traffic jam gets big enough, the on-ramps will slow down and fill up, and then the roads to the on-ramps will fill up too. Attacks can be directed at core infrastructure precisely to inflict such collateral damage. With this attack, some collateral damage may have been seen locally, all depending on where you connect to the internet and when you look."

What DNS Reflection can DO?

As per Greg Lindsay, a DNS Reflection can have the following impact:
- Open recursion: Name servers on the Internet that have recursion enabled and provide recursive DNS responses to anyone are referred to as "open resolvers." The number of DNS servers providing open recursion on the Internet have been estimated to be anywhere from several hundred thousand to several million. In a DNS amplification attack, the open resolver functions as the source of amplification, receiving a small DNS query and returning a much larger DNS response. These DNS servers are not normally compromised, but actually functioning as intended.

- Source address spoofing: Source address spoofing alters a packet's return address so that the packet appears to have come from a source other than the sender. In a DNS amplification attack, the source address for the DNS query is spoofed with the target of the attack, similar to a "Smurf" attack. When an open resolver returns a DNS response, this response is incorrectly sent to the spoofed address.

-Botnets: Botnets are groups of online computers that have been compromised by an attacker. Botnets are used in a DNS amplification attack to send DNS queries to open resolvers.

-Malware: Malware can be used to gain access to botnet computers and provide a means to trigger DNS amplification attacks.

-EDNS0: Extension Mechanisms for DNS (EDNS0 as defined in RFC 2671) allow DNS requestors to advertise the size of their UDP packets and facilitate the transfer of packets larger than 512 bytes. Without EDNS0, a 64 byte query can result in (at most) at 512 byte UDP reply corresponding to an amplification factor of 512/64 = 8x.

-DNSSEC: DNSSEC adds security to DNS responses by providing the ability for DNS servers to validate DNS responses. DNSSEC prevents cache-poisoning attacks, but adds cryptographic signatures resulting in larger DNS message sizes. As a consequence, DNSSEC also requires EDNS0 support; therefore a server that supports DNSSEC will also support large UDP packets in a DNS response. Because of these reasons, DNSSEC has been criticized for contributing to DNS amplification attacks.