On September 20, a popular website dedicated to information security (infosec) was hit with a distributed denial of service (DDoS) attack that underscores the need for greater DNS security.
The affected site is KrebsOnSecurity.com, which is maintained by investigative journalist and infosec enthusiast Brian Krebs. According to the news release published shortly after the incident, the DDoS attack was one of the most impressive ever recorded due to the sheer magnitude of traffic intended to overwhelm the site for the purpose of taking it down.
How DNS Security Was Compromised
In his report about the attack, Brian Krebs explained that his website was hit with more than 600 Gbps of traffic. According to Akamai, the firm that handles security for his site, this DDoS attack was probably the largest ever recorded.
The attack likely started with DNS reflection, which consists of probing domain name servers for the purpose of commandeering them. This type of attack takes advantage of poor DNS security in the sense that servers are left wide open and willing to accept queries from across the internet.
DNS reflection is also called DNS amplification. The goal of the attacker is to take a DNS request and amplify it across dozens of commandeered servers so that more traffic can be sent to the target, thereby creating a DDoS situation and bringing the site down.
The Current DNS Threat Climate
Brian Krebs speculated that the aforementioned attack may have been executed as retaliation for his investigation into commercial hacking services.
DDoS attacks can now be launched under contract. In recent years, black hat hackers have been offering their services in various black markets and even in unsecured online forums. DDoS for hire has become a common practice that can be contracted by unethical parties who would like to see a website taken down.
Earlier this year, Brian Krebs exposed the identity of a Canadian man who developed and sold a remote administration tool that could be planted in a target computer by means of a Trojan attack. Another service offered by this man is a dynamic DNS service with servers based in Canada and other parts of the world. This DNS service is marketed with a promise to destroy all records of activities conducted by clients.
With dynamic DNS servers, a website can be hosted under various addresses hosted in different parts of the world. Being able to control several international addresses can be accomplished with dynamic DNS service. Unfortunately, malicious hackers are known to flock to hosting providers who offer this type of service.