They are standard pieces of kit, without which no home or small office can connect to the internet. And millions of them harbour a security vulnerability that threatens to do untold damage to the workings of the web.
Welcome to the humble home gateway – the little routers sitting on our desks are being inducted into battle by criminals launching denial-of-service (DoS) attacks to bring down websites and hold organisations to ransom.
A subtle flaw in some home gateways (they act as ‘open DNS proxies’) allows attackers to use them for ‘amplification’ where very small DNS queries (50 bytes) generate very DNS large answers.
Attackers employ another simple trick – IP address spoofing – to disguise their own identity and cover their tracks while directing waves of traffic to any target they choose, anywhere on the internet.
An amplification attack can create and send a target trillions of bytes of unwanted data over a few hours. The attack on Spamhaus in 2013 generated traffic measured at an enormous 300Gb/s.
Many web resources aren’t equipped to deal with such large volumes of traffic and either become unavailable, or slow down to the point where visitors notice. There is also considerable collateral damage to the infrastructure over which these attacks are launched.
These attacks are effective because the amplification effect makes the results wildly disproportionate to the effort needed to launch them.
Moreover, home gateways acting as DNS proxies make queries appear legitimate to DNS resolvers and mask the ultimate targets of attacks. As such, they are becoming the weapon of choice for those who aim to damage or hold to ransom any target they wish with impunity.
Nor is there any shortage of opportunity for these criminals. Research has found there are 24 million home gateways (home routers) that can be used for amplification attacks. These exploitable routers exist across the globe and it is not a problem limited to developing nations. For online criminals, there really is no place like ‘home’ from which to launch an attack.
One of the systems most impacted by DNS amplification attacks are ISP resolvers. The fact they’re typically provisioned with ample network bandwidth and deployed on high-performance hardware to ensure they are always responsive and highly available make them ideal for attackers, as they can piggyback on someone else’s high performance infrastructure.
ISPs get drawn directly into the mire when open DNS proxies on home routers forward queries received on their WAN interface to whatever DNS resolver they are configured to use. In most cases this is an ISP’s resolver (consumers may also configure alternative DNS services from Google and others), and even those who go to great lengths to protect their infrastructure can become collateral damage in the path on an attack.
Bandwidth taken up by DDoS traffic causes networks to suffer from congestion and lowered performance. If quality of service falls noticeably, customers will vote with their feet and walk away to another service provider. And the ultimate recipients of the traffic, the targets themselves, often legitimately enquire about what ISP have done to limit the effects of attacks.
Since this vulnerability provides enormously rich pickings for criminals at little cost, fixing it should be a priority for ISPs. As with any type of online threat, denial-of-service attacks are protean in nature; they evolve and adapt to circumvent attempts to prevent them.
Unfortunately, existing perimeter defences are useless against this new generation of attacks because they’re designed to deter DDoS traffic coming into a provider network instead of traffic going out.
What’s called for is the applications of DNS-based security intelligence techniques; by incorporating DNS-level security tools, organisations and ISPs can effectively counter amplification attacks. Deterrence starts with monitoring DNS query data as it is generated so suspicious activity on the network can be identified quickly.
Something else that’s needed is dynamic threat lists that track special purpose-built DNS domains designed and deployed specifically for these kinds of attacks.
To eliminate false positives, it’s also crucial these lists are carefully vetted. Servers should be configured with highly targeted filters to manage malicious traffic, while ensuring legitimate traffic is not affected.
Additional rate limits based on response size can catch malicious traffic not caught by other filters. And, following best practice, DNS data logging is also useful for forensics and reporting.
DNS-based security can be used by network operators in a layered security approach. The insidiousness of malware threats requires a defence-in-depth strategy based on various layers of firewalls, packet filters, anti-virus software, intrusion detection and prevention, and many more.
Owing to its strategic place in the network, DNS-based security must be added to this portfolio of protection: observing, as it does, every Internet communication, it serves as a lightweight but powerful tool in the armoury.
For far too long, people have unknowingly been hosting a serious security weakness in their houses and in their offices. With DNS-level security we can finally plug this breach, and turn the home once more into a castle.
Ian Sampson, senior director engineering, Nominum