The FBI said that a distributed denial-of-service (DDoS) attack potentially targeted a state-level voter registration site.
In a Private Industry Notification (PIN) released on February 4, the FBI said that a state-level voter registration and voter information website received a high volume of DNS requests over the period of a month. Those requests were consistent with a Pseudo Random Subdomain (PRSD) attack, a type of DDoS attack which attempts to disrupt DNS record lookups.
At one point, the suspected attack’s DNS requests increased more than tenfold from 15,000 to 200,000.
The FBI provided additional analysis of these requests in its PIN, as reported by Bleeping Computer:
The DNS requests had source IP addresses belonging to recursive DNS servers, obfuscating the originating host(s) or attacker, and were largely for non-existent subdomains of the targeted website. During a sample three minute window, 24 IP addresses used by recursive DNS servers made 2,121 DNS requests. A small sample of the DNS request traffic contained roughly 1,020 requests for unique subdomains, of which 956 were single requests for non-existent subdomains which appeared to be randomly generated.
At the end of its PIN, the FBI provided some mitigation techniques that organizations can use to defend themselves against a DDoS attack. It specifically recommended that organizations implement automated patching of their operating system, web browser and software. Additionally, the FBI urged organizations to develop an incident response plan that included a DDoS mitigation strategy.
This anti-DDoS plan should consist of several elements. First, organizations should invest in technology, expertise and training to help them determine the difference between a potential DDoS attack and a normal spike in network or web traffic. They should then use this familiarity to notify their Internet Service Provider if they suspect a potential attack is in progress.
Organizations can use this resource to learn additional tips that will help them defend against a DDoS attack.