A shattering new form of the “denial-of-service” computer attack could be on the rise, according to a company that controls some of the internet’s core infrastructure.
In a conventional DoS attack, computers are used to send an overwhelming amount of data to a target machine, disguised as legitimate network traffic. This barrage prevents genuine messages from reaching the target and can even cause its servers to crash. Such attacks are sometimes used to extort money from commercial websites that depend on being online to operate.
The new DoS variant hijacks a key part of the internet’s address system – the Domain Name System – to amplify an attack and make it harder to defeat. DNS servers act as a directory service for internet users, so their data requests are routed to the correct destination.
To initiate the new type of attack, a message is sent to a DNS server with a forged return address, matching that of the target computer. The DNS server processes this as a valid request and “returns” the results to the target.
Advertisement
The return contain much more information than the initial request, meaning a few thousand forged messages can result in gigabytes of information being sent to the target. In this way the torrent of data the target computer has to deal with is much greater than if it had been attacked directly.
Disruptive potential
Ken Silva, chief security officer at US networking company Verisign, says hackers began testing the new DoS variant in December 2005 and continued to hone the technique through January 2006.
“These attacks have been significantly larger than anything we’ve seen,” Silva told CNET. The activity then subsided, perhaps in preparation for a real attack, he says. Verisign operates two of the internet’s 13 root DNS servers and is responsible for managing the most popular domain name extensions .com and .net.
“It has the potential to be extremely disruptive,” says Graham Pinkney, of US computer security firm Symantec, who adds that it could also disrupt legitimate traffic by overloading the DNS server. Another problem is that trying to halt an attack by simply switching off the DNS server would also affect traffic from legitimate users.
Experts say DNS servers can be reconfigured not to allow such requests to be used, but a recent survey found that 80% of DNS servers are vulnerable.
The US government’s Computer Emergency Response Team issued a warning about these “DNS recursive DoS attacks” in November 2005. This report (pdf format) contains information on protecting different types of DNS server.
