opportunityopenerdns

1akamai's[stateoftheinternet]/SecurityBulletin11.
1OVERVIEW/PLXserthasbeenmonitoringanewtrendintheuseofDNSamplificationattacks.
AmplificationattacksarespecialtypesofDDoSattacksthataredesignedtogeneratelargeresponsepacketswithrelativelysmallrequests.
AttackersarecraftinglargeDNSTXT(text)recordstoincreaseamplification,magnifyingtheimpactoftheattack.
Forexample,severalcampaignsobservedsinceOctober4,2014containfragmentsoftexttakenfrompressreleasesissuedbytheWhiteHouse.
PLXsertsuspectsthattheDNSfloodertoolcontinuestobeusedinthesecampaigns.
BycraftingtheirownTXTrecords,attackerscanamplifyresponsesasdesiredanddirectthistraffictotargetedsites,including—butnotlimitedto—DNSservers.
Theamplifiedtrafficresponsecouldeventuallyoverwhelmthetargetedsiteandrenderitunabletorespondtoanyrequests.
AttackershaveusedlargeTXTrecordsinreflectionattacksinthepast.
PreviousvictimsofDNSamplificationattacksusingTXTrecordsincludesitessuchasisc.
organdmany.
govsites.
Withthisnewthreat,maliciousactorsarenowcraftingtheTXTrecordstoprovidethelargestresponsesizepossible,therebyhavingasmuchimpactaspossible.
TheTXTrecordsintheOctober2014attackshavebeenidentifiedasoriginatingfromtheguessinfosys.
comdomain.
1.
2HIGHLIGHTEDATTRIBUTESAttackstatistics§Peakbandwidth:4.
3Gigabitspersecond(Gbps)§Attackvectors:DNSreflectionandamplification§Sourceport(s):53§Destinationport(s):80,random1SECURITYBULLETIN:CRAFTEDDNSTEXTATTACKGSIID:1082TLP:GREEN11.
11.
14RISKFACTOR-MEDIUM2akamai's[stateoftheinternet]/SecurityBulletin2Primarytargets§Entertainment§Education§HightechconsultingSamplepayloads21:38:55.
972524IPX.
X.
X.
X.
53>X.
X.
X.
X.
52967:585613/0/3A50.
63.
202.
58,NSns71.
domaincontrol.
com.
,NSns72.
domaincontrol.
com.
,SOA,MXmailstore1.
secureserver.
net.
10,MXsmtp.
secureserver.
net.
0,TXT"PresidentObamaistakingactiontohelpensureopportunityforallAmericans.
PresidentObamaSigning13:43:36.
094522IPX.
X.
X.
X.
53>X.
X.
X.
X.
52506:1153210/13/16TXT"PresidenftxtObamaistakingaction",TXT[|domain]13:43:36.
094854IPX.
X.
X.
X.
53>X.
X.
X.
X.
5926:3540810/13/16TXT"Presidentalsooutlines""thedetailsaboutthetransmissionandtreatmentofEbola",TXT[|domain]2Figure1:TheentertainmentindustrywasthemaintargetoftheOctober2014DNSreflectionattacks.
3akamai's[stateoftheinternet]/SecurityBulletin33guessinfosys.
com.
85964INTXT"PresidentObamaistakingactiontohelpensureopportunityforallAmericans.
PresidentObamaSigningLegislationMyFrontPorchAmericansacrossthePresidentObamaistakingactiontohelpensureopportunityforallAmericans.
PresidentObamaSigningLe""gislationMyFrontPorchAmericansacrossthe"guessinfosys.
com.
85964INTXT"PresidentxtObamaistakingactiontohelpensureopportunityforallAmericans.
PresidentObamaSigningLegislationMyFrontPorchAmericansacrossthePresidentObamaistakingactiontohelpensureopportunityforallAmericans.
PresidentObamaSigning""LegislationMyFrontPorchAmericansacrossthe"guessinfosys.
com.
85964INTXT"PresidenftxtObamaistakingactiontohelpensureopportunityforallAmericans.
PresidentObamaSigningLegislationMyFrontPorchAmericansacrossthePresidentObamaistakingactiontohelpensureopportunityforallAmericans.
PresidentObamaSigning""LegislationMyFrontPorchAmericansacrossthe"guessinfosys.
com.
85964INTXT"InavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismornin""gInavideoreleasedthismorningInavideoreleasedthismorning,PresidentObamaaddressesthepeopleofWestAfricaabouttheEbolaoutbreakthatiscurrentlyaffectingthecountriesofLiberia,SierraLeone,Guinea,andNigeria.
ThePresidentreiterate""sinthevideothat,alongwithourpartnersaroundtheworld,theUnitedStatesisworkingwiththesecountries'governmentstohelpstopthedisease.
Thefirststepinthisfight,however,isknowingthefacts--whichiswhythePresidentalsooutlines""thedetailsaboutthetransmissionandtreatmentofEbola"guessinfosys.
com.
85964INTXT"InavideorInavideoreleasedthismorningeleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismornin""gInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorning"guessinfosys.
com.
85964INTXT"InaviddeorInavideoreleasedthismorningeleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorni""ngInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorning"guessinfosys.
com.
85964INTXT"InaviddeofrInavideoreleasedthismorningeleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorn""ingInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorningInavideoreleasedthismorning"Maliciousrequestsforguessinfosys.
comcanbeobservedinthewildonanongoingbasis.
Theserequestsattempttouseopenresolversasintermediatevictimstoreflectattacktrafficbacktoatarget.
Forthemostpart,theusefulnessofthesemaliciousdomainsdropsoffafterafewdaysasserveradminsbegintoblockofftherequests.
Figure2:Digresultsforguessinfosys.
comTXTrecordsshowmultipleTXTstringsliftedfromWhiteHousepressreleases4akamai's[stateoftheinternet]/SecurityBulletin4418:11:32.
433099IPX.
X.
X.
X.
16484>X.
X.
X.
X.
53:37834+[1au]ANYguessinfosys.
com.
(45).
.
.
.
E.
.
Ib.
.
.
.
.
.
.
Ma.
.
.
.
Fx@d.
5.
5.
guessinfosys.
com.
1.
3MITIGATION/DNSreflectionandamplificationattacksmakeuseofthesametacticsusedbyothertypesofreflectioncampaigns,suchasSNMP,SSDPorCHARGEN.
Theprimaryimpacttothetargetedserviceistheoverallbandwidthgenerated.
DNSreflectionattackscanbemitigatedsuccessfullyatthenetworkedge.
Anaccesscontrollist(ACL)wouldsufficebutonlyincaseswhereavailablebandwidthexceedsattacksize.
SomeDNSserverswillattempttoretrytheresponseusingTCP,butwhentherequestissenttothetargethost,notransferwilloccurandtheattemptwillfail.
DDoScloud-basedprotectionservicessuchastheoneprovidedbyAkamaiTechnologiesarerecommended.
Status:PLXsertiscurrentlymonitoringongoingcampaigns.
Futureadvisoriesandupdateswillbeprovidedifwarranted.
Figure3:Aguessinfosys.
comrequestattemptingtoreflecttrafficoffacustomerDNSserverFigure4:TheOctober2014craftedDNSTXTamplificationattackslastedmorethanfivehoursduringeachattackandpeakedatmorethan15hoursonOctober245akamai's[stateoftheinternet]/SecurityBulletinTheProlexicSecurityEngineeringandResearchTeam(PLXsert)monitorsmaliciouscyberthreatsgloballyandanalyzestheseattacksusingproprietarytechniquesandequipment.
Throughresearch,digitalforensicsandpost-eventanalysis,PLXsertisabletobuildaglobalviewofsecuritythreats,vulnerabilitiesandtrends,whichissharedwithcustomersandthesecuritycommunity.
Byidentifyingthesourcesandassociatedattributesofindividualattacks,alongwithbestpracticestoidentifyandmitigatesecuritythreatsandvulnerabilities,PLXserthelpsorganizationsmakemoreinformed,proactivedecisions.
Akamaiisaleadingproviderofcloudservicesfordelivering,optimizingandsecuringonlinecontentandbusinessapplications.
Atthecoreofthecompany'ssolutionsistheAkamaiIntelligentPlatformprovidingextensivereach,coupledwithunmatchedreliability,security,visibilityandexpertise.
Akamairemovesthecomplexitiesofconnectingtheincreasinglymobileworld,supporting24/7consumerdemand,andenablingenterprisestosecurelyleveragethecloud.
TolearnmoreabouthowAkamaiisacceleratingthepaceofinnovationinahyperconnectedworld,pleasevisitwww.
akamai.
comorblogs.
akamai.
com,andfollow@AkamaionTwitter.
AkamaiisheadquarteredinCambridge,MassachusettsintheUnitedStateswithoperationsinmorethan40officesaroundtheworld.
OurservicesandrenownedcustomercareenablebusinessestoprovideanunparalleledInternetexperiencefortheircustomersworldwide.
Addresses,phonenumbersandcontactinformationforalllocationsarelistedonwww.
akamai.
com/locations2014AkamaiTechnologies,Inc.
AllRightsReserved.
Reproductioninwholeorinpartinanyformormediumwithoutexpresswrittenpermissionisprohibited.
AkamaiandtheAkamaiwavelogoareregisteredtrademarks.
Othertrademarkscontainedhereinarethepropertyoftheirrespectiveowners.
Akamaibelievesthattheinformationinthispublicationisaccurateasofitspublicationdate;suchinformationissubjecttochangewithoutnotice.
Published10/14.
5ABOUTPROLEXICSECURITYENGINEERING&RESEARCHTEAM(PLXSERT)/PLXsertmonitorsmaliciouscyberthreatsgloballyandanalyzestheseattacksusingproprietarytechniquesandequipment.
Throughresearch,digitalforensicsandpost-eventanalysis,PLXsertisabletobuildaglobalviewofsecuritythreats,vulnerabilitiesandtrends,whichissharedwithcustomersandthesecuritycommunity.
Byidentifyingthesourcesandassociatedattributesofindividualattacks,alongwithbestpracticestoidentifyandmitigatesecuritythreatsandvulnerabilities,PLXserthelpsorganizationsmakemoreinformed,proactivedecisions.
ABOUTAKAMAI/Akamaiistheleadingproviderofcloudservicesfordelivering,optimizingandsecuringonlinecontentandbusinessapplications.
AtthecoreoftheCompany'ssolutionsistheAkamaiIntelligentPlatformprovidingextensivereach,coupledwithunmatchedreliability,security,visibilityandexpertise.
Akamairemovesthecomplexitiesofconnectingtheincreasinglymobileworld,supporting24/7consumerdemand,andenablingenterprisestosecurelyleveragethecloud.
TolearnmoreabouthowAkamaiisacceleratingthepaceofinnovationinahyperconnectedworld,pleasevisitwww.
akamai.
comorblogs.
akamai.
com,andfollow@AkamaionTwitter.