[lacnog] DNS reflection attacks (Devices Like Cable Boxes Figured in Internet Attack)

Fernando Gont fgont en si6networks.com
Mar Abr 2 19:16:46 BRT 2013



---- cut here ----
Devices Like Cable Boxes Figured in Internet Attack

SAN FRANCISCO — In the aftermath this week of one of the most powerful
attacks on the Internet, finger-pointing quickly ensued.

The organization most suspected, victims said, was Stophaus, an elusive
group of disgruntled European Internet users, although Sven Olaf
Kamphuis, its spokesman, denied he was responsible for the attacks. At
the same time, he shifted blame to Russian Internet service providers,
which he said were retaliating against Spamhaus, a European anti-spam
group, for blacklisting them.

But the real enablers of the attack were the operators of more than 27
million computers around the globe who left their equipment wide open to
a motivated attacker. Those enablers are not just companies, but regular
people with home cable boxes.

“There is a big possibility that you are part of the problem without
even knowing it,” said Paul Vixie, chairman of the Internet Software
Consortium, a nonprofit company responsible for the software used by
many of the servers that power the Internet.

The servers the attackers used — what the Internet community calls open
recursive servers or, more commonly, open resolvers — are simply home
Internet devices, corporate servers, or virtual machines in the cloud
that have been sloppily configured to accept messages from any device
around the globe.

Open resolvers have been set up in such a way that they are not unlike
the na´ve users of public Wi-Fi who forget to turn off their
file-sharing settings, so that any hacker on the Internet can creep
inside the computer. It’s similar to PC users who do not realize that by
not updating their software, they let their computers get infected with
malware and used as a zombie in a cyberattack.

The difference is that if you think of a computer as a digital weapon,
then an open resolver is a machine gun. Attackers can use open resolvers
to amplify the strength of a cyberattack by a factor of 100.

In this week’s attack on Spamhaus and the company hired to fight it,
CloudFlare, attackers made use of more than 100,000 open resolvers to
inflict an attack that reached 300 billion bits per second, the largest
such attack ever reported. When they could not take down those targets,
they aimed and fired open resolvers at the world’s major Internet
exchanges, first London, then Amsterdam, Frankfurt and then Hong Kong.

“At some point, we thought, ‘They are going to hit everything at once,
and that’s when this gets real,’ ” said Matthew Prince, the chief
executive of CloudFlare. “That’s the nightmare scenario that hasn’t
happened — yet.”

“We’ve now seen an attack that begins to illustrate the full extent of
the problem,” Mr. Prince wrote in a blog post.

Closing an open resolver, unfortunately, is not as simple as flipping a
switch or downloading some software. Finding out if your home cable box
is an open resolver, for instance, requires you to call your cable
company and tell them that you do not want to be running an open
resolver — a tough request when most of the world’s population does not
even know what an open resolver is.

Recent efforts have been made to increase awareness of the issue.
Computer security experts have recently started “naming and shaming” the
operators of open resolvers. The DNS Measurement Factory, one such
group, published a survey of top offenders by network, and more recently
the Open Resolver Project published a full list of the 27 million open
servers online.

The campaign is making slow progress; thousands dropped off those lists
in the last few months.

But Dr. Vixie calls the open resolvers just the low-hanging fruit. Even
if they were all fixed tomorrow, there are other types of servers that
could just as easily be used to amplify an attack, a fact that hackers
are eager to point out.

“The guys doing the attack indeed use open resolvers, but those are not
needed for this type of attack,” Mr. Kamphuis said in an online
interview with The New York Times earlier this week.

Indeed, there are other servers that amplify attacks — including
machines called Simple Network Management Protocol (SNMP) servers —
albeit by a significantly smaller magnitude. Dr. Vixie and others have
been working on what is called response rate limiting technology, a
potential solution to the amplification problem. That technology helps
servers decipher between unusual requests and normal traffic, but
engineers still need to fine-tune it in such a way that it can be used
without slowing Internet speeds.

Even if they can pull it off, that still leaves the other half of the
problem. To accomplish this week’s attacks, the attackers sent messages
forged to look as if they came from their victims, so that when the open
resolvers responded, they responded to Spamhaus, CloudFlare and their
Internet providers with large blocks of traffic.

That digital forging is easy to pull off. But, there too, Internet
security specialists have long had a solution. For more than a decade,
Dr. Vixie and others have encouraged companies to use what is called
Source Address Validation, a technology that filters forged traffic from
legitimate traffic. The problem is that the technology is not yet pervasive.

The reason, Dr. Vixie said, was “simple economics.” What incentive do
companies have to pay for the cost of adopting the technology and
training their engineers to use it when their competitors don’t? The
victims of the attacks are usually not those companies, so they bear the
expense and reap no direct benefit.

Dan Kaminsky, a prominent computer security researcher, said, “The
problem is that it’s hard to get someone to care.”

This week’s attack, which had halted on Tuesday, resumed Thursday morning.

But there is a silver lining. “I’ve been waiting for this attack for a
long time,” Dr. Vixie said, “so that we could tell the earth’s
population to do something about it.”
---- cut here ----

Fernando Gont
SI6 Networks
e-mail: fgont en si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Más información sobre la lista de distribución LACNOG