In recent months the DDoS world has shifted from complex small scale Botnet attacks to much larger network based DDoS attacks, perpetrated largely by hijacked web servers. How many of these hijacked servers are out there remains to be seen. However, we recently got a very good idea of just how large these DDoS cannons are getting.
Last Saturday we mitigated a rather small, 4Gbps DDoS attack, but this time it had a different pattern that attracted our attention.
At first sight the attack seemed rather simple, generating 8 million DNS queries per second, to many domains, from spoofed IP addresses (using real domain name servers’ IPs). But this time it included a hint about where it was coming from: all that traffic was coming from the same source. Probably on the same network, maybe even the same device
Tracing it to a single Source – TTL Giveaway
We were able to trace the attack to a single source because this time the attackers slipped-up and did not randomize the requests TTLs, making all the traffic arrive with the same IP TTL.
The TTL parameter is part of the Internet Protocol. It’s a field that designates how many routers a packet is allowed to pass before it expired. Every router along the way decrements the counter, until it expires (many diagnostic tools, like traceroute use this attribute). Of course, like many other fields, its value can be spoofed and randomized, but it is almost impossible to make millions of packets from many sources have the same TTL when they reach their destination. And this is exactly what we saw.
Are Authoritative Name Servers next on the exploit list?
Another interesting point we saw, is that the spoofed addresses belonged to DNS servers, but not all were open DNS resolvers. In fact, many of these IPs were of authoritative name servers.
The reason for the non-random selection of IPs was to avoid blacklisting mechanisms. But it means that hackers are also collecting information about authoritative name servers. Using these in reflection attacks is a bit more complicated (it means building a database of domains with large DNS responses), with much smaller amplification factor, but they are much more difficult to lock down than open DNS resolvers.
So… what does this mean?
This means that the stakes just got higher. Just for comparison, at the rate of this attack, if it had used DNS amplification, with an average amplification factor of 50 – it would have generated a 200+ Gbps DDoS attack, all from a single source/computer!
What do we know about this source?
- It is either custom hardware, or a cluster of machines sharing the same network. It is (almost) impossible for a single machine to generate this kind of traffic.
- It could utilize 4Gbps of upstream bandwidth, without anyone noticing.
These days it doesn’t take a Botnet to launch massive DDoS attacks. It doesn’t even take hundreds of servers, from multiple hosting providers. Today, that kind of massive firepower can be obtained from a single DDoS Cannon, from a single location and perhaps even one single server.
Gur Shatz, Incapsula CEO and Co-Founder