DDoS Attackers Target European DNS Infrastructure
Think of DNS (Domain Name System) like the phonebook of the internet. While us humans might think of a web address as www.insertwebsitename.com, a computer thinks of an IP address as something more like 18.104.22.168. The DNS resolution process turns one into the other, allowing the human-friendly www.insertwebsitename.com to be transformed into the machine-recognized 22.214.171.124. It’s a foundational part of the way the internet works, allowing the process of loading websites to happen so smoothly and rapidly that, well, most people never even have to know what DNS is. To quote the late Apple co-founder Steve Jobs, “it just works.”
Until it doesn’t, that is. In the second half of 2020, over a dozen Internet Service Providers (ISPs) in Europe reported having their DNS infrastructure targeted by DDoS (Distributed Denial of Service) cyberattacks. A DDoS attack is a particularly devastating type of cyberattack in which a “botnet” of infected computers and connected devices are used to bombard a victim with fraudulent traffic. The goal of these attacks is to overwhelm a website or online service so as to knock it offline, thereby making it unavailable to legitimate customers.
Such DDoS attacks are getting larger, longer-lasting, more sophisticated, and increasingly commonplace all the time. The largest recorded DDoS attack took place against Amazon Web Services, hitting it with an astonishingly massive 2.3 terabit-per-second (Tbs) barrage. Before this, the biggest attack was a 1.35 Tbps assault against code repository Github in 2018.
Attacks can last anywhere from a few minutes to hours or even days. They may result in massive amounts of un-asked-for downtime on the part of victims, and can (and do) cause significant damage in the form of lost revenue and dented customer loyalty. Nowadays, it is possible to hire a “DDoS as a service” botnet attack for just a few dollars.
Attacking DNS infrastructure
There were multiple ISPs in Europe which reported having their DNS infrastructure hit by DDoS attacks this year. These ranged from EDP in Belgium to Bouygues Télécom in France to Delta in the Netherlands. While attacks went on, the ISP services were down. In at least one case, the attackers tried to extort money from their targets by requesting ransoms in exchange for stopping the attacks.
There are different types of DDoS attacks that target DNS infrastructure. One popular (among hackers) method is a DNS flood, in which the high bandwidth connection used by DVR boxes, IP camera, and assorted other Internet of Things (IoT) devices are exploited to flood DNS servers belonging to major ISPs. By overloading a domain’s DNS servers, it makes them inaccessible to legitimate traffic. The highest profile DNS flood attacks in recent years came from the Mirai botnet. At its height, the Mirai malware was used to infect more than 600,000 vulnerable IoT devices, which it used to unleash malicious and extremely damaging attacks on targets.
Another widespread type of DNS attack are DNS amplification attacks. These attacks, which use devices with more modest bandwidth connections, work by reflecting and amplifying traffic from unsecured DNS servers. In a DNS amplification attack, the hacker sends a DNS query boasting a forged IP address that appears to be that of the victim. This is sent to an open DNS resolver. In turn, this prompts the resolver to reply to the address with a DNS response. By sending multiple fake queries, with multiple DNS resolvers then responding at the same time, it is easy for the network belonging to a victim to be overwhelmed. Using underhanded amplification attacks, it’s possible to turn a DNS request message of just 60 bytes into a response of more than 4,000 bytes. Quickly the resources of the server become overloaded and depleted.
Safeguarding against attacks
Protecting against DDoS attacks is of critical importance to anyone running an online service. Some methods that can be employed to fight back against DNS attacks include blocking certain DNS servers or open recursive relay servers, in addition to rate limiting. Improving DNS server security is also a very good idea.
But the smartest solution is to bring in dedicated cybersecurity experts with state-of-the-art DDoS protection services that can help safeguard against such attacks. Large, distributed DNS systems and DDoS protection tools will help to monitor for attacks in real-time, and absorb and block them when they arise. The goal of any such system is to filter out DDoS traffic, while allowing legitimate traffic to get through to its final destination.
Cybersecurity is hard work here in 2020. DDoS attacks (among others) are getting worse and don’t show any sign of letting up in the foreseeable future. But, fortunately, it’s not a one-sided battle: there are plenty of folks on the right side of the battle to ensure that such attacks do not cause the kind of damage they set out to cause. So that your customers can enjoy the services they’re entitled to, free of problems.