DDoS Protection Services hacked to arrange powerful DNS DDoS attack

Pierluigi Paganini May 16, 2014

Security Experts at Incapsula have recently detected a powerful DNS DDoS attack organized by attackers abusing DDoS Protection Services servers.

Experts at Incapsula have detected early this month a powerful DNS DDoS attack that was launched from high-capacity servers, but the alarming news is that the attackers have abused resources of two separate DDoS protection service providers.

On May 1st, a powerful attack has hit an unnamed online gaming website, the offensive lasted for about seven hours flooding the target with 25 million packets per second (mpps).

“Several days ago one of our clients became the target of a massive DNS DDoS attack, peaking at approximately 25Mpps (Million packets per second). The attack fit the description of other recently reported DNS floods, like the one that brought down UltraDNS earlier this month. ” Writes Igal Zeifman, product evangelist with Incapsula, in a blog post.

The attackers hijacked traffic of two separate high-capacity servers belonging to unnamed DDoS protection service providers, located in Canada and in China, they directed the flaw against the online gaming platform.

“Any service providers that offer indiscriminative access to high-powered servers helps the offenders to outgrow these limitations. In this case, the security vendors played right into the hackers’ hands, by equipping them with high-capacity resources, able to generate billions upon billions of unfilterable DDoS requests – enough to pose a serious threat to even to the most overprovisioned servers.”

The experts at Incapsula consider the attack as part of an evolving new trend that targets also most resistant structure. The attackers, contrary to what normally happen for DNS DDoS attack haven’t spoofed IP data, making easy to discover the origin of the offensive.

“Interestingly enough, in this case, the DNS queries contained non-spoofed IP data that allowed us to uncover the attacker’s true points of origin.” “All told, these were hitting our network at a rate of 1.5 Billion DNS queries a minute, amounting to over 630 Billion requests during the course of the 7 hour-long DDoS attack.” reports Incapsula.

Both companies involved in the DNS DDoS attack have confirmed to Incapsula that their servers were abused.

dns ddos attack Incapsula

“However, this is the first time we encountered “rogue” scrubbing servers used to carry out large-scale DDoS attacks. This fact, combined with the inherit danger of non-amplified DNS floods, is what makes these attacks so devastatingly dangerous.” Zeifman said.

Let me close with a clarification, as highlighted in the post a DNS DDoS is very different from a DNS DDoS amplification attack,a DNS amplification is an asymmetrical DDoS attack in which the attacker floods target with query with spoofed IP to solicit the recipient of much larger DNS responses.

DNS DDoS floods are symmetrical DDoS attacks, they are used to consume server-side assets (e.g. Memory or CPU) while a DNS amplification attack exhausts the target’s bandwidth with a multitude of UDP requests.

This is the beginning of an alarming trend, the cybercrime is exploring new methods to monetize its effort.

Pierluigi Paganini

(Security Affairs –  DNS DDoS, cybercrime)  

you might also like

leave a comment