New DDoS attack based on deluge of dotsFebruary 15, 2009 – 10:46 AM
A technique for worsening the effects of a distributed denial-of-service-type attacks uses a feature in the DNS system that was once designed to be helpful. Patching it could involve reconfiguring millions of domain-name servers, or even rethinking how the system works.
A DDoS attack, of course, involves bombarding a target site with garbage so no other traffic can get through. Some attackers, especially the ones who do these attacks for a living (think extortion), amplification techniques that increase the flow of packets while further disguising the true source of the onslaught. One of these, which SecureWorks is currently examining, leverages a feature in the domain-name system, making it appear that the victim’s computer is lost and in need of a list of all the root domain nameservers. That’s a long list, and the forged command is quite short — in fact, it’s “.” . A tiny effort on behalf of the attacker, therefore, is leveraged into a significant amount of DDoS distress.
All an attacker has to do in the new style is spoof the source and insert the IP address of the target, so the earlier fixes, which managed the problem in terms of recursivity, don’t hold the fort. (The SecureWorks link above includes configuration advice for diligent sysadmins.) Some observers estimate that attackers using the technique have been able to leverage as many as 375 domain-name servers for every infected machine in their botnet.