Researchers have disclosed details of a powerful DNS DDoS attack that is leveraging the infrastructure of several anti-DDoS service providers which peaked at approximate magnitude of 25Mpps (Million packets per second), and may be indicative of an new evolving trend.
“The DNS queries contained non-spoofed IP data that allowed us to uncover the attacker’s true points of origin. When we did, we were surprised to learn that the malicious requests were originating from servers of two other anti-DDoS service providers – one based in Canada, the other in China,” the researchers noted.
“All told, these were hitting our network at a rate of 1.5 Billion DNS queries a minute, amounting to over 630 Billion requests during the course of the 7 hour-long DDoS attack.”
The made clear that these were not DNS amplification attacks, but a clever misuse of “rogue” scrubbing servers to engage in a large-scale DDoS attack in non-amplified DNS floods, making the technique “devastatingly dangerous.”
“In this case, the security vendors played right into the hackers’ hands, by equipping them with high-capacity resources, able to generate billions upon billions of unfilterable DDoS requests – enough to pose a serious threat to even to the most overprovisioned servers.”
They go on to explain the differentiation in that DNS amplification attacks are asymmetrical by which a small look-up query with a spoofed IP makes the target receive large DNS responses which overwhelm the target’s bandwidth capacity, where as DNS floods are symmetrical and attempt to exhaust server-side assets with numerous UDP requests.
“With DNS amplification, the effectiveness of an attacker’s own resources is increased by anywhere from 300% to 1000%, which means that large attacks could be initiated by relatively small botnets. On the other hand, with DNS floods there is no multiplier to speak of at all,” the researchers stated.
“This means that, in order to generate a DNS flood at the rate of 25Mpps, the offender needs access to an equally powerful botnet infrastructure,” such as those maintained by anti-DDoS services “with their proximity to the Internet’s backbone and wide traffic pipes.”
Read More Here…