Anonymous, DNS Amplification Attacks for Operation Global Blackout

In this first couple of months of 2012 we have assisted to an escalation of cyber attacks made by  groups of hacktivist, first Anonymous, that have hit main institutions and agencies all over the world. The modus operandi of the group is now well known, attacks that have crippled many victims were mainly of DDoS type, in this way the group has made many web sites inaccessible.

Despite the large number of operations carried out successfully, from the attack to FBI to the one against the CIA, up to now have been warded off attacks capable of making inaccessible the whole Internet. For a long time now, in Internet has persistently circulated the news of a possible attack on a global scale which has as its goal to bring down the entire Internet’s Domain Name System (DNS) called a “troll” by members of Anonymous.

Many experts believe the group is working for some time to a new generation of cyber weapon to use in future operations. Until today much of the success of the operation made by the group is related to two main factors, the surprise effect and the critical mass of supporters engaged in the actions. This means that in addition to conventional tools for DDoS (e.g. LOIC) it’s normal to expect the genesis of new methods of attack.

What would be an effective and attractive attack technique for the group of hacktivist?

A highly efficient method is known as DNS Amplification Attacks, although known for years could be extremely damaging to the current structure of the internet, let’s examine it in detail.

The Domain Name System (DNS) is implemented through a tree-like system of delegations. A recursive process is used to follow the chain of delegations, starting at the Root zone, and ending up at the domain name requested by the client. A recursive name server may need to contact multiple authoritative name servers to resolve given name. Ideally, a recursive name server should only accept queries from a local, or authorized clients but in reality many recursive name servers accept DNS queries from any source. To worsen the situation, many DNS implementations enable recursion by default, even when the name server is intended to only serve
Authoritative data. We say that a name server is an “open resolver” if it provides recursion to non-local users.

 

The DNS system has a hierarchical structure, at the top there are the “root” nameservers containing information on where to find the nameservers responsible for the next level down in the hierarchy, the nameservers for things like “.com” and “.org” and “.uk.” In turn, those nameservers contain information about the next level of the hierarchy and so on.

Imagine that we are interested to resolve the name securityaffairs.co so a client send the request to the DNS server. The root server will provide info regarding the “.co” and info regarding the next level in the structure “securityaffairs” domain. The “securityaffairs” nameserver is then able to provide the actual binding from the logical name and related IP address. Resuming a recursive process is used to follow the chain of delegations, starting at the Root zone, and ending up at the domain name requested by the client. A recursive name server may need to contact multiple authoritative name servers to resolve given name (e.g. www.net.compsci.googleplex.edu).

Let’s image the availability of a Botnet that send spoofed address queries to an Open Resolver causing it to send responses to the spoofed-address target. In this way the Resolver became the cyber gun against the victims, for which we have spoofed the address, participating in an attack on it.
This way to operate on a DNS ROOT server is called “recursive mode”, a client sends the request to the DNS server for the entire name then leaves it to perform all the necessary requests (either recursive or iterative) on its behalf.

There is also another mode to resolve a logical name called “interactive mode“, in this case the resolver first queries the root nameservers for the top-level domain’s nameservers, then queries the top-level domain’s nameservers for the second level domain’s nameservers, and so on and so forth. The resolver contacts the different nameservers directly to make the complete translation.

Of course to speed up the described process are used caching mechanism by the name servers involved. This is the vulnerability in the process. The response to a DNS query can be considerably larger than the query itself. In the best (or worst) case, a query of just a few dozen bytes can ask for every name within a domain and receive hundreds or thousands of bytes in the response. Each request sent to a DNS server include a source address to which the reply should be sent, but this IP address can be spoofed, in this way is, a request can be sent from one IP address but the DNS server will think it was sent from a different address replying it.

The attack is really dangerous considering also the critical masses usable by groups of activist and considering also that typically a DNS query consisting of a 60 byte request that can be answered with responses of over 4000 bytes, amplifying the response packet by a factor of 65. In literature there are several variant of the attack one of them include a query only for the root name servers, the home of the Internet’s root DNS servers. Because there are a large number of root name servers, and because the implementation of DNS-SEC has added certificate data to root server responses, the data returned for each request is about 20 times larger than the request packet.

The attack method is really powerful, in fact sending a small amount of data that compose a DNS request is it possible to redirect large quantity of data to a spoofed address, so sending a large number of requests to the server it is possible to flood the victims with the replies. The different size between the dimension of the request and related response is called “amplification” attacks. To hide the origin of the attacks it is possible to modify the header of each UDP request this means that group like Anonymous could maintain anonymity adopting VPNs.

Which are the main effects of this kind of attacks?

A DNS recursion attack is essentially an amplification DoS attack.  There are sever related effects like:

  1. DNS servers configured to provide recursion receive the spoofed requests and generate replies to the spoofed address (i.e., the victim). The performance of these systems may be negatively affected when processing the spoofed requests.
  2. The spoofed DNS requests query the root name servers, part of the internet’s critical infrastructure, indirectly affecting them.
  3. The traffic then traverses the internet backbone, effecting the internet service provider and any upstream providers until it reaches the intended target.
  4. The intended target receives large amounts of inbound DNS replies that could consume all available resources on its router, depending on available bandwidth. Even if the traffic is reduced through rate limiting or other bandwidth throttling measures, the attack could impact other legitimate business along the path of the attack.

How to avoid this type of attacks?

It’s simple, it is enough to disable recursion as recommended by US-CERT bulletins, but as usual this setting for DNS ignored. Given enough servers that enable recursion, large quantities of traffic can be produced from relatively modest numbers of queries. The Internet Engineering Task Force has proposed a best practices to solve the problem, an approach to “ingress filtering” of packets, called BCP 38, that would block forged traffic like DNS amplification attacks. But the proposal hasn’t moved very far forward since it was first submitted in 2000.The best countermeasures against DNS amplification must be taken on server side do not return replies to “.” queries and return shorter responses, reducing the amplification process.  Another option is the limitation of DNS requests to authorized clients.

The interest in the attack technique of the group of hackers has been shown by a document published recently on Pastebin announcing an operation called “Operation Global Blackout” an attack on the Internet’s root DNS servers.

Many experts are convinced that a similar attack would have little chance of success for several technical reasons. Despite their position I believe is fundamental to share information about what is considerable of a vulnerability in a process, hoping that the problem is not overlooked with disastrous consequences.

That is why I have chosen to write this article … Awareness first of all.

Pierluigi Paganini

References

http://securityaffairs.co/wordpress/3184/cyber-crime/anonymous-dns-amplification-attacks-for-operation-global-blackout.html

http://www.isotf.org/news/DNS-Amplification-Attacks.pdf

http://arstechnica.com/business/news/2012/03/how-anonymous-plans-to-use-dns-as-a-weapon.ars/1

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

10 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

15 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

20 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

23 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.