Fibre Internet service provider Cool Ideas has been beleaguered by distributed denial of service attacks (DDoS) over the past few weeks. This has severely degraded performance on its network, even causing an hours-long outage.
This issue is not unique to Cool Ideas. Atomic Access also recently informed MyBroadband that it has been the target of two large-scale DDoS attacks in two months.
According to Nexus Guard’s second-quarter Threat Report for 2019, DNS Amplification attacks have spiked more than 1,000% compared with Q2 2018.
DNS Amplification attacks, also referred to as DNS reflection, use improperly configured Domain Name System (DNS) servers to flood computers with network traffic.
If the flood of bogus traffic is able to overwhelm the computer, it can’t respond to legitimate requests and appears offline to anyone on the Internet trying to reach it.
When the target computer is a web server or critical network infrastructure, such a DDoS attack causes an outage.
Reflection attacks work by requesting information from a server on the Internet, but then tricking it to send its response to the target computer the attacker wants to flood.
DNS servers are a popular choice for such attacks, as they are critical Internet infrastructure and are designed to field millions of requests per second. They are also usually connected to high-bandwidth links to enable them to deal with large amounts of traffic.
Most importantly, attackers can often cause a DNS server to generate a response that is several times larger than their spoofed request. In other words, attackers use DNS servers to amplify their attack bandwidth. Hence the term: DNS Amplification.
The Nexus Guard report states that the large rise in DNS-amplified attacks, which accounted for 65% of DDoS attacks last quarter, was due to Domain Name System Security Extensions (DNSSEC).
“DNSSEC was designed to protect applications from using forged or manipulated DNS data, such as that created by DNS cache poisoning. The extra security DNSSEC provides relies on a resource-intensive data verification process using public keys and digital signatures,” Nexus Guard explained.
In other words, in trying to improve the security of DNS, the potency of DNS amplification attacks have been increased, Nexus Guard said.
Nexus Guard lists the edu.za domain in South Africa as one of the most abused domains for DNS Amplification attacks, second only to 1×1.cz.
Nexus Guard reported that edu.za had 13,524,481 spoofed DNS requests last quarter, accounting for 9.36% of all DNS abuse.
Most attacks originate in the United States, followed by China, and last 90 minutes or less. The multi-hour attacks seen on South African ISPs are therefore unusual. Only 2.42% of attacks last longer than 1,200 minutes.
“The quarterly average was 182.9 minutes, while the longest attack lasted 28 days, 1 hour, and 11 minutes,” Nexus Guard said.
MikroTiK routers are a big culprit here. Not because there is anything inherently insecure about MikroTiK, but because it is a router aimed at advanced users which is easy to misconfigure if you don’t know what you’re doing.
MyBroadband asked several Internet service providers for their insight on this issue. Internet Solutions provided detailed feedback.
“On our MikroTiK devices, we block all port 53 requests from the outside world, also only allowing our management addresses to access the device. This would ensure our devices do not answer port 53 requests on the external interface,” a spokesperson for Internet Solutions told MyBroadband.
It also provided the following steps for securing routers:
- Disable the DNS server/relay feature on the router.
- Apply a filter to remote access protocols and limit management access to a jumphost.
- Research firmware to find all known problems. Upgrade firmware if a new vulnerability is discovered.
This last requirement is a concern. Internet service providers in South Africa have historically not been diligent about ensuring routers installed at client premises are kept up-to-date against the latest vulnerabilities.
Defending against DNS Amplification attacks
When asked how to defend against DNS Amplification attacks, Internet Solutions provided the following feedback:
- Ensure the DNS zones are up-to-date and have no stale entries.
- Don’t allow unauthorised zone transfers.
- Enable DNS Rate Response Limiting (DNS amplification is based on the server getting a small query and responding with a large amount of data. Rate-limit this so a potential attack will be contained and not end up as a DDoS).
- Follow a good vulnerability assessment and patch management process to detect and remediate new vulnerabilities as they emerge.
- Hide your DNS server version. This will prevent crawlers picking up your software version and potentially marking it as a target.
- Disable DNS recursion (stop third-party hosts querying the name servers).
- Apply Operating System hardening to prevent any other backdoor onto the DNS server. This includes two-factor authentication to access the server.
This issue is not unique to Cool Ideas. Atomic Access also recently informed MyBroadband that it has been the target of two large-scale DDoS attacks in two months.
According to Nexus Guard’s second-quarter Threat Report for 2019, DNS Amplification attacks have spiked more than 1,000% compared with Q2 2018.
DNS Amplification attacks, also referred to as DNS reflection, use improperly configured Domain Name System (DNS) servers to flood computers with network traffic.
If the flood of bogus traffic is able to overwhelm the computer, it can’t respond to legitimate requests and appears offline to anyone on the Internet trying to reach it.
When the target computer is a web server or critical network infrastructure, such a DDoS attack causes an outage.
Reflection attacks work by requesting information from a server on the Internet, but then tricking it to send its response to the target computer the attacker wants to flood.
DNS servers are a popular choice for such attacks, as they are critical Internet infrastructure and are designed to field millions of requests per second. They are also usually connected to high-bandwidth links to enable them to deal with large amounts of traffic.
Most importantly, attackers can often cause a DNS server to generate a response that is several times larger than their spoofed request. In other words, attackers use DNS servers to amplify their attack bandwidth. Hence the term: DNS Amplification.
The Nexus Guard report states that the large rise in DNS-amplified attacks, which accounted for 65% of DDoS attacks last quarter, was due to Domain Name System Security Extensions (DNSSEC).
“DNSSEC was designed to protect applications from using forged or manipulated DNS data, such as that created by DNS cache poisoning. The extra security DNSSEC provides relies on a resource-intensive data verification process using public keys and digital signatures,” Nexus Guard explained.
In other words, in trying to improve the security of DNS, the potency of DNS amplification attacks have been increased, Nexus Guard said.
Nexus Guard lists the edu.za domain in South Africa as one of the most abused domains for DNS Amplification attacks, second only to 1×1.cz.
Nexus Guard reported that edu.za had 13,524,481 spoofed DNS requests last quarter, accounting for 9.36% of all DNS abuse.
Most attacks originate in the United States, followed by China, and last 90 minutes or less. The multi-hour attacks seen on South African ISPs are therefore unusual. Only 2.42% of attacks last longer than 1,200 minutes.
“The quarterly average was 182.9 minutes, while the longest attack lasted 28 days, 1 hour, and 11 minutes,” Nexus Guard said.
MikroTiK routers are a big culprit here. Not because there is anything inherently insecure about MikroTiK, but because it is a router aimed at advanced users which is easy to misconfigure if you don’t know what you’re doing.
MyBroadband asked several Internet service providers for their insight on this issue. Internet Solutions provided detailed feedback.
“On our MikroTiK devices, we block all port 53 requests from the outside world, also only allowing our management addresses to access the device. This would ensure our devices do not answer port 53 requests on the external interface,” a spokesperson for Internet Solutions told MyBroadband.
It also provided the following steps for securing routers:
- Disable the DNS server/relay feature on the router.
- Apply a filter to remote access protocols and limit management access to a jumphost.
- Research firmware to find all known problems. Upgrade firmware if a new vulnerability is discovered.
This last requirement is a concern. Internet service providers in South Africa have historically not been diligent about ensuring routers installed at client premises are kept up-to-date against the latest vulnerabilities.
Defending against DNS Amplification attacks
When asked how to defend against DNS Amplification attacks, Internet Solutions provided the following feedback:
- Ensure the DNS zones are up-to-date and have no stale entries.
- Don’t allow unauthorised zone transfers.
- Enable DNS Rate Response Limiting (DNS amplification is based on the server getting a small query and responding with a large amount of data. Rate-limit this so a potential attack will be contained and not end up as a DDoS).
- Follow a good vulnerability assessment and patch management process to detect and remediate new vulnerabilities as they emerge.
- Hide your DNS server version. This will prevent crawlers picking up your software version and potentially marking it as a target.
- Disable DNS recursion (stop third-party hosts querying the name servers).
- Apply Operating System hardening to prevent any other backdoor onto the DNS server. This includes two-factor authentication to access the server.