Skip to main content

Enormous DNS DDoS attack originates from anti-DDoS service providers

Hackers are leveraging anti-DDoS [distributed denial of service] service providers to carry out huge DNS DDoS attacks that are among some of the largest attacks seen for some time.

Related: How to tell if you’ve been hit by a DDoS attack, and 5 ways to be prepared

One of the attacks, all of which were spotted by Incapsula, peaked at around 25 million packets per second and the security firm is now speculating that this signals a new trend.

“With multiple reports coming from different directions, and with several large scale attacks on our own infrastructure, we are now convinced that what we are seeing here is an evolving new trend - one that can endanger even the most hardened network infrastructures,” stated the report from Incapsula.

The fact that the DNS queries used in the attack included non-spoofed IP addresses meant that the origin of the attackers was able to be uncovered and it pointed to two anti-DDoS service providers – one in Canada and the other in China. Incapsula notified both services before each one acknowledged the attacks and then dropped the parties from their services immediately.

The DNS DDoS attack that was used in this attack is completely different to the commonly employed DNS amplification attack in terms of the method of execution and the level of disruption that can be caused.

A DNS amplification attack is an asymmetrical DDoS attack that sees the attacker set the source address to that of the targeted victim using a spoofed IP of the target, making it the recipient of larger DNS responses.

DNS floods, meanwhile, are symmetrical DDoS attacks that attempt to exhaust server-side assets with a range of UDP requests, generated by scripts running on a number of manipulated botnet machines.

“With DNS amplification, the effectiveness of an attacker’s own resources is increased by anywhere from 300% to 1000%, which means that large attacks could be initiated by relatively small botnets. On the other hand, with DNS floods there is no multiplier to speak of at all. This means that, in order to generate a DNS flood at the rate of 25Mpps, the offender needs access to an equally powerful botnet infrastructure,” explained Incapsula.

DNS floods are fiendishly difficult to defend against but given that the resources required by attackers are huge, the amount of attacks of this scale are likely to remain confined to a small number.

Image source: Shutterstock/alexskopje