Possibly related DDoS attacks cause DNS hosting outages

In at least one case a provider's authoritative DNS servers were used to amplify DDoS attacks using DNS reflection

Distributed denial-of-service (DDoS) attacks that could be related have in the past few days slammed the DNS servers of at least three providers of domain name management and DNS hosting services.

DNSimple, easyDNS and TPP Wholesale all reported temporary DNS service outages and degradation on Monday, citing DDoS attacks as the reason. In some cases the attacks started a few days ago and are ongoing.

TPP Wholesale, a subsidiary of Sydney-based Netregistry, one of Australia's largest providers of Web hosting, domain management and other online services, alerted its customers through its website on Monday that eight of its DNS servers experienced "unscheduled service interruption."

TPP Wholesale experienced a series of DDoS attacks against its DNS name servers over the past several days, the Netregistry Group Security Team said in a blog post. The company managed to mitigate the DDoS attacks that caused service interruptions throughout Monday by taking "the drastic step" of rate-limiting DNS queries, the team said.

Such aggressive filtering is prone to false positives and might result in some customers being denied DNS service. "In the next few days we will continue to whitelist such false positives as we discover them," the team said.

EasyDNS, a DNS hosting provider based in Toronto, also reported DNS service disruptions caused by a DDoS attack on Monday.

"This looks like a larger version of a smaller DDoS yesterday which was possibly a test run," the company's CEO Mark Jeftovic said Monday in a blog post. "This DDoS attack is different from our previous ones in that it looks as if the target is us, easyDNS, not one of our clients."

Jeftovic said that it was difficult to differentiate the real traffic from the DDoS traffic, but the company managed to partially mitigate the attack and also published workarounds for affected customers. "This is the 'nightmare scenario' for DNS providers, because it is not against a specific domain which we can isolate and mitigate, but it's against easyDNS itself and it is fairly well constructed," he said.

Aetrion, based in Malabar, Florida, operates a DNS hosting service called DNSimple, which was also attacked on Monday. According to DNSimple founder Anthony Eden, the DDoS attack is ongoing, but the company managed to mitigate it.

"Our authoritative name servers were used as an amplifier for an attack against a third-party network," Eden said Tuesday via email. "The attacker essentially flooded us with 'ANY' queries for a variety of domains managed by our DNS service, with the intention of amplifying these small queries into significantly larger responses aimed at a specific network."

This attack technique is known as DNS reflection or DNS amplification. It involves sending queries with a spoofed source IP (Internet Protocol) address -- usually the victim's address -- to DNS servers from a large number of computers in order to trigger long responses to be sent by those servers to victim's IP address within a short time window. If enough computers and DNS servers are used, the resulting rogue DNS traffic will exhaust the victim's available Internet bandwidth.

The DNS reflection technique has been known for a long time. However, its recent use to launch DDoS attacks of unprecedented scale, like the one in March that targeted a spam-fighting organization called Spamhaus, has likely brought it renewed interest from attackers.

The attack experienced by DNSimple on Monday was significantly larger in volume and duration than other attacks that hit the company's name servers in the past, Eden said.

He believes that the attack is related to the ones experienced by easyDNS and TPP Wholesale. "The pattern displayed on TPP Wholesale's blog is similar to what we see, and we have been communicating with easyDNS and find similarities between the attacks."

EasyDNS and TPP Wholesale did not immediately respond to inquiries seeking more information about the recent attacks against their servers and confirmation that they were using DNS reflection techniques.

It's possible that DNS servers operated by other companies were also affected by this attack, Eden said. "A DNS provider will have a significantly higher number of customers and thus the attacks get noticed much sooner because it affects a larger group of people," he said.

DNSimple's authoritative name servers were used to amplify a DDoS attack directed at a server hosting company called Sharktech or one of its customers, Eden said.

Sharktech has noticed a surge of abuse reports in the past 24 hours coming from ISPs and hosting companies complaining about DDoS attacks against their DNS servers that appear to originate from Sharktech, said Tim Timrawi, president and CEO of Sharktech, via email. Upon further investigation the company determined that these reports were actually the result of a DNS amplification attack against its own customers that abused the authoritative DNS servers of those companies, he said.

Most of the affected DNS servers were secured properly and were being queried for domains they are responsible for, Timrawi said. "Unlike previous DNS Amplification Attacks in which the attacker used open recursive DNS servers, in this one, the attacker is collecting all the DNS servers they can find and sending MX (and other kind of queries) to them for their domain records with a spoofed source of the target host," he said.

The amplified DDoS attack targeting Sharktech customers was larger than 40Gbps, Timrawi said. "We are unaware of the reason behind the attacks," he said.

The abuse of authoritative name servers in DNS reflection attacks is not very common because attackers need to know the exact domain names that each abused server is responsible for, said Carlos Morales, vice president of sales engineering and operations at DDoS mitigation provider Arbor Networks. Obtaining this information is not very hard, but it does require additional work compared to abusing open DNS resolvers, and attackers usually prefer the easiest route to reach their goals, he said.

Open DNS resolvers are recursive DNS servers that are configured to accept queries from any computers on the Internet. These act as relays between users and authoritative DNS servers; they receive queries for any domain name, find the authoritative name server responsible for it and relay the information obtained from that server back to the user.

Meanwhile, authoritative name servers, like those operated by DNSimple, easyDNS and TPP Wholesale, will only respond to queries concerning the domain names they serve.

The extra work required to target such servers suggests that the attackers behind the recent attacks on these DNS hosting providers were well prepared and did their homework in advance, Morales said.

One mitigation against this kind of attack is to configure the DNS server software to force all "ANY" queries sent over UDP (User Datagram Protocol) to be resent over TCP (Transmission Control Protocol) instead, Eden said. This can be done by sending a UDP response with the TC bit set and an empty answer section. A legitimate DNS client will retry over TCP, while a bogus client will get no benefit, he said.

In the case of open resolvers, the problem can be mitigated by restricting which IP addresses are allowed to query them, said Morales. For example, an ISP operating a DNS resolver for its customers can restrict its use to only IP addresses from its network, he said.

However, this kind of mitigation is not applicable to authoritative name servers because they are meant to be queried by anyone on the Internet who wants to get information about the specific domain names served by them, Morales said. The mitigation described by Eden is very good and is actually one that Arbor also uses to protect authoritative name servers, he said. Another mitigation is to enforce a query rate limit for source IP addresses, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags arbor networksonline safetyNetworkingHostedinternetInternet service providersNetregistryEasyDNSservicessecurityAetrionTPP Wholesale

More about Arbor NetworksArbor NetworksTPP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place