A massive DNS distributed denial-of-service (DDoS) attack was reported by US security firm Incapsula on one of its clients. This attack came, ironically, from the servers of two providers of anti-DDoS services.
The attack originated from servers in China and Canada being targeted against the network of an online gaming firm. The company says that this incident is part of a dangerous emerging trend, that of using DNS floods, which it says can bring down even the most secured networks.
“We were surprised to learn that the malicious requests were originating from servers of two other anti-DDoS service providers – one based in Canada, the other in China,” the company said in a statement. “All told, these were hitting our network at a rate of 1.5 billion DNS queries a minute, amounting to over 630 billion requests during the course of the seven-hour long DDoS attack.”
Incapsula confirmed the attack was similar to others that targeted its own network, but also similar to DNS floods that have recently affected other companies such as UltraDNS.
“We are now convinced that what we are seeing here is an evolving new trend,” the company stated.
The attackers used the powerful server infrastructure intended for anti-DDoS activities to send out the assault traffic, which peaked at almost 25 million packets per second.
“This is the first time we encountered ‘rogue’ scrubbing servers used to carry out large-scale DDoS attacks,” Incapsula stated. “This fact, combined with the inherit danger of non-amplified DNS floods, is what makes these attacks so devastatingly dangerous. DDoS protection services, with their proximity to the Internet’s backbone and wide traffic pipes, are specifically designed for high capacity traffic management. This, combined with the fact that many vendors are more concerned with ‘what’s coming in’ as opposed to ‘what’s going out’, makes them a good fit for hackers looking to execute massive non-amplified DDoS attacks.”
DNS floods don’t happen very often because they are not amplified, this requiring huge computing resources to carry them out. The more common DNS amplification attacks are “asymmetrical”, meaning that a large-scale attack can be launched by a relatively small network of computers.
Although it may not seem, DNS amplification attacks are relatively easy to defend against, Incapsula said.
“This isn’t the case for seemingly legitimate DNS flood queries, which cannot be dismissed before they are individually processed at the server level,” the company stated. “DNS floods have the potential to bring down even the most resilient of networks. Thankfully, this potential is usually capped by the capacity of the attacker’s own resources.”
The fact that such high-powered resources can be easily available to attackers in the form of anti-DDoS server networks is very worrying, according to Incapsula.
“In this case, the security vendors played right into the hackers’ hands, by equipping them with high-capacity resources, able to generate billions upon billions of unfilterable DDoS requests – enough to pose a serious threat to even to the most overprovisioned servers,” Incapsula wrote.
One third of UK companies recently surveyed by Neustar confirmed that they were hit by DDoS attacks last year, this resulting in estimated losses of £240,000 per day. Even Blizzard, maker of online games including the most popular Starcraft, Diablo and World of Warcraft, was affected by DDoS attacks in Europe last year.