There’s been a lot in the news lately talking about the largest hack–I mean, the biggest attack–no, wait, that the Internet almost–
I can’t even come up with a summary of the reports, because most of the general reports have been exceptionally bad at explaining what happened. Mostly, they have far overblown the technical prowess required and the effects on the Internet (even if a few servers were inaccessible for a little while). So here’s my attempt (one among thousands) to explain what happened.
One of the major providers of spam sources is called Spamhaus. They’re a good group of people, and I highly recommend that most companies use them as part of their spam solution. (End users don’t really have a way of using them directly, so if you’re not running an IT department, don’t worry about it.) Some reports call them “cyber vigilantes,” but the truth is that they basically build up a list of IP addresses that send spam or that shouldn’t be sending out large quantities of e-mail. Their customers use these feeds to help determine when a message is likely from a spammer so it can be dropped early in the process.
The only people who really think they’re vigilantes are the people whose addresses end up on their lists. One of these groups was apparently associated with a company called CyberBunker, so named because they set up shop in an old NATO bunker. They would do business with anyone unless it involved terrorism or child porn. Spammers were perfectly welcome to set up shop.
When CyberBunker’s address space got listed by Spamhaus, someone decided to remedy this by knocking Spamhaus offline. It was hit with a combined 300Gbps of traffic. That’s 300,000Mbps. Consider that the high-speed connections most people have at home are perhaps 10Mbps, or maybe 20Mbps if they’re gamers. Even my own FiOS connection at 150Mbps is a mere 0.05% of that stream. Spamhaus, of course, has better feeds, but even if it has a carrier-grade connection like an OC-48 and its 2.5Gbps capacity, the traffic it was hit by was still more than 120 times that capacity.
How ever does one do a hack like this? It’s almost impossible to consider the power at the fingertips of these people! They must own every system on the planet to do this!
Well, not quite.
What they used is something called a DNS reflection attack, and it’s pretty trivial to pull off. First, a bit of background.
Some of you may have heard of DNS (domain name system). For those that haven’t, the easiest way to explain it is that it takes the domain that you type in (like llamasinmynetwork.com) and turns it into an IP address (like 184.108.40.206) so that your computer can actually talk to the server. What many people don’t realize is that this is only one kind of record (an A record, specifically) that can be stored. There are other record types as well including NS (name server), MX (mail exchange), TXT (text), and AAAA (IPv6 address). There’s also a kind of meta-record called ANY which returns everything, and everything, as one might guess, can be a lot. We’ll come back to that in a moment.
DNS servers use caching to reduce the number of lookups they do. Records don’t usually change all that much, so when a DNS server looks up a record, it will cache it, usually for a period of time that the next server considers appropriate. Until that time runs out, the DNS server will simply look at its cached information and return that result. When the timer runs out, it looks up the information again and caches it again. Neat and efficient.
DNS primarily uses a protocol called UDP (user datagram protocol). It’s a very simple protocol that simply sends a packet with data out, not checking to see if it gets there in one piece (unlike TCP [transmission control protocol], which has many such checks). UDP is usually sufficient for the needs of DNS. But it’s also subject to something called spoofing, which is where an attacker changes the source address of the packet to that of someone else. Any responses to the packet will then go to the spoofed address instead of the original sender.
Now that we have that background, let’s go back to that DNS ANY request. Suppose an attacker sends a request for record type ANY with a spoofed source address to a DNS server (total packet size about 70 bytes or so) for a domain that he knows has an ANY response of around 3500 bytes. The DNS server will send a response packet to the unsuspecting victim that is 50 times larger than the request packet. A single packet like this isn’t going to do anything, but imagine that the attacker has a solid Internet up-link of 100Mbps. The attacker can send approximately 175,000 such requests per second, resulting in a theoretical response of nearly 5,000Mbps (or 5Gbps) going to the target. Ow.
Typically, a single DNS server won’t have this kind of bandwidth, so the attack will be split up among many DNS servers across the Internet that accept requests from anyone. Google has two such addresses (with who knows how many servers behind them), Verizon maintains the two old GTE DNS server addresses, and thousands of other servers are configured this way. Lists of them are all over the Internet. It’s not hard to put together this kind of attack, especially if you have control of a few dozen systems scattered around the world–again, not hard to do in the modern era of botnets.
Unfortunately, this is an architectural problem that doesn’t have an easy solution. DNS as it stands now was largely built about 30 years ago, and it’s one of a couple of protocols (including SMTP, which is what e-mail uses) that has some massive security holes built in due to being created in an age of relative innocence. There are some solutions that carriers can implement which can help, and maybe an attack of this scale will prod them to do it, but I wouldn’t really count on it. This is something we’ve seen and we’re going to see periodically for some time yet to come.