Large-scale DDoS attack with “peak traffic over 300 Gbps”
“DDoS” is an abbreviation for Distributed Denial of Service, which is an attack method that puts an excessive load on the server or network of the other party from many places (devices) and drives it into a state of inoperability. DDoS attacks have been carried out many times, but the scale (traffic volume) is at most several hundred Mbps to several tens of Gbps, and rarely exceeds 100 Gbps.
On the other hand, the DDoS attack this time is extremely large, with the maximum attack scale exceeding 300 Gbps, and it has been confirmed that there are effects such as communication failures in some areas. Moreover, because DNS was the cause of the increase in the scale of the attack, it has come to be regarded as a major problem among Internet personnel.
The attack is triggered by sending a query disguised as the IP address of the attack target to the cache DNS server called “open resolver”. An open resolver that receives a spoofed source query will use it as the correct query for DNS name resolution and return the result to the spoofed IP address.
There are innumerable open resolvers that can be exploited in attacks around the world, and by sending spoofed queries, a large number of DNS responses will eventually be directed to the attack target. Due to the characteristics of DNS that “the response is larger (amplified) than the query” and the existence of a large number of open resolvers that can be exploited in the attack, a very large-scale DDoS attack was established. This attack method is called “DNS amplifier attack” or “DNS reflector attack”.
Conceptual diagram of this attack (quoted from the lecture material of JPRS Morishita at the IPSJ IOT Study Group)
Efforts to eradicate open resolvers
By the way, what is the “open resolver” that was abused in this attack and helped to increase the scale of the attack?
From the DNS mechanism, it should be clear what each cache DNS server should provide services. For example, if you are an ISP, you only need to provide the cache DNS server function to customers who have a service contract, and if you are a company, you only need to provide your own employees. However, in reality, there are many cache DNS servers on the Internet that accept queries from anywhere. This is called an “open resolver”.
Importance of DNS server management from the perspective of large-scale DDoS attacks
Internet officials are taking various measures against open resolvers that have helped large-scale attacks and whose “harmfulness” has become non-negligible. It is ideal to introduce “source verification (ingress filtering)” * technology that allows the DNS server to detect the attacker’s “source spoofing”, but this cannot be expected to have a significant effect unless it is applied to networks around the world. The current situation is that the response is not progressing. * Mechanism defined in RFC 2827 (BCP 38). Ingress literally filters packets that spoof the source coming into your network.
Therefore, in parallel with that, measures are being taken on individual DNS servers. “Eliminating open resolvers” is one of them, and the cache DNS server can define what the service should be provided and restrict access from other networks.
However, although it is easy in theory, “an outside user is hanging on a cache DNS server that is not officially provided”, “I used to be a customer, but even after moving to another company’s service, DNS There is also an example such as “I have not changed the setting”, so it seems that it is not easy to actually add access restrictions. It is difficult to contact people who are using from the outside without noticing it or people who are no longer customers of the company, and even if they can be contacted, “the net can not be used (become)” The problem is that there are cases where complaints are made.
Of course, even with that in mind, we cannot leave the open resolver with a big problem. Even major ISPs that could not easily eliminate open resolvers due to the above-mentioned circumstances are gradually embarking on “eradication of open resolvers”.
Changes in the number of open resolvers in the world (left) and in Japan (quoted from JPCERT / CC’s “Open Resolver Confirmation Site”)
JPCERT / CC has released an “open resolver confirmation site”, and is it set to use the open resolver on the user’s PC, and is the device (broadband router, etc.) of the Internet connection source set to the open resolver? I’m calling to confirm. You should take this opportunity to check again and review the settings.
▼ Open Resolver Confirmation Site (JPCERT / CC) ▼ Overview and Countermeasures for DNS Reflector Attacks Using Open Resolver-You Are the Perpetrator Without Knowing- (JPRS Morishita’s Lecture Material: PDF) ▼ Open Resolver ) Attention (JPNIC)