Millions Of Open Servers Are Helping To Set Off Huge Digital Bombs

cyber war weapon crime © Roman Sigaev

Spamhaus attacks show how the Internet’s millions of open DNS resolvers are ‘the scourge of the Internet’

Digital bombs are going off across the Internet, smashing websites offline with incredible force. That’s partly because attackers are able to use at least 25 million open servers vital to Internet infrastructure to power their strikes. What’s concerning is that not all of those servers can be closed off, meaning many will remain at the disposal of malicious actors.

This past week saw what is believed to be one of the biggest Distributed Denial of Service (DDoS) strikes ever recorded, highlighting the terrifying power attackers can now generate. The attacks were aimed at Spamhaus, a not-for-profit organisation that attempts to counter spam.

After it put a Dutch hosting company, Cyberbunker, on a blacklist, Spamhaus was struck by a DDoS that used an increasingly popular amplification technique. Such blacklists are used by email admins to filter out unwanted messages.

DDoS protectionServers used as weapons

Cyberbunker, which is based out of a five-story former NATO bunker, had not responded to a request for comment at the time of publication. It says on its official website it offers services “to those that some would like to see offline”.

According to a spokesperson for the attackers, Cyberbunker was retaliating against Spamhaus for abusing its influence. Reports have claimed there was collateral damage, resulting in everyday Internet users experiencing poor access, although there was certainly no widespread outage (for a full run-down of how the attacks affected the wider Internet, see this blog post from CloudFlare)

The DDoS hits, which are thought to have ranged from 75Gbps up to 300Gbps in power, came from what is known as DNS reflection – a way to amplify traffic to swamp servers and take websites offline. These attacks rely on what are known as “open recursive resolvers”, used in the DNS process, where URLs are translated to IP addresses, so people can access websites by typing in names (e.g. Google.com) rather than numbers (e.g. 216.239.51.99).

Attackers spoof themselves an IP address – the one belonging to their target. They then make a large number of requests for DNS zone files –  which contain mappings between domain names and IP addresses – to open DNS resolvers. The resolvers respond and send back a load of traffic to the victim, clogging up their pipes and taking them offline.

The big problem here, and this is a serious issue facing the Internet in general, is that there are 25 million of these resolvers, posing a significant threat, according to the Open DNS Resolver Project, which released figures late last week. With Spamhaus, 30,000 unique DNS resolvers were used, most likely via a botnet.

The Spamhaus attacker sent requests for the DNS zone file for ripe.net to open DNS resolvers, spoofing IPs issued for Spamhaus by the company it called in for protection – CloudFlare. The open resolvers responded, sending back around 75Gbps of attack traffic, according to CloudFlare.

DNS resolvers ‘scourge of the Internet’

“Open DNS resolvers are quickly becoming the scourge of the Internet and the size of these attacks will only continue to rise until all providers make a concerted effort to close them,” CloudFlare wrote in a blog post.

ISPs have been called on to address the issue, as they can carry out better checks on IP address spoofing. TechWeekEurope asked BT, the UK’s largest ISP, what it was doing to counter such attacks, but t had not responded at the time of publication.

Darren Anstee, team manager for network security firm Arbor Networks, said there were a number of steps service providers could take, one of which is called “ingress filtering”, which stops any subscriber from spoofing, throwing packets away from spoofed IPs.

“There is an operational overhead to doing that… which is why some of them don’t do it,” he told TechWeekEurope.

DNS servers can also be locked down by ISPs to stop accepting requests from specific address ranges too, but that is only possible on some servers. Many have to accept requests from everybody, meaning there will always be open resolvers for hackers to use as weapons.

With such power generated with such little effort, Spamhaus might want to continue ramping up its defences. It has gained itself a number of enemies in the past after placing them on its blacklist.

In 2011, a Dutch ISP, A2B, filed two police complaints against the not-for-profit after Spamhaus added its IP addresses to the blacklist.

It has annoyed a lot of cyber crooks too, thanks to its progressive work in helping dismantle botnets. Just last year it was a key player in taking out the mega-spamming botnet Grum.

Are you a security expert? Try our quiz!