Posts

DNS Amplification Attacks

YES

There are many types of DNS (Domain Name Server) attacks out there but a recent one is the Amplification Attack. But first let’s go over what a DNS is before we go into why an Amplification Attack is more complicated and a bigger threat. Domain Name System servers, are servers which map domain names such as  “google.com” to an IP address of the host server for the particular website.

When a user of a web-browser types “lintcenter.org” into a web-browser, the browser will ask a pool of DNS servers what the IP is for that server. Only then can it ask the server for the appropriate web page. Think of the DNS servers as dictionaries, where each word (domain name) has a server’s IP as its definition. But there can also be more information in that dictionary such as backup name servers, aliases, mail servers, etc.

An attacker can take advantage of how long it takes to compile a whole zone worth of definitions. In fact DNS servers can be just as vulnerable to DoS attacks as other servers with this. A Denial of Service (DoS) attack is a set of methods that can be used to make a server unreachable. By far the most popular are Distributed DoS attacks, where multiple parties (or a single party controlling multiple vectors) attack a single victim.

One such DDOS attack targeting DNS servers is called an Amplification attack. It starts when an attacker asks multiple DNS servers for a zone full of information masquerading as the target DNS server. The intermediary servers will chug and dump a bunch of information onto the target DNS server, hence the term Amplification attack.

Those that are impacted by an Amplification attack are those who have a misconfigured DNS server. But detection isn’t as easy to find.

“While it is not easy to identify authoritative name servers used in DNS reflection attacks as vulnerability is not caused by a misconfiguration, there are several freely available options for detecting open recursive resolvers.  Several organizations offer free, web-based scanning tools that will search a network for vulnerable open DNS resolvers.  These tools will scan entire network ranges and list the address of any identified open resolvers.”

It’s not impossible to repair a server when it’s found it’s been exploited, but it is time consuming. US-Cert has offered several open source and free options and instructions on how to prevent and fix this type of attack.


About the Author:

Kana Kennedy is a third year Information Security and Forensics major at Rochester Institute of Technology in Rochester, New York. Her specific interest is in Policy Writing and Procedure. She is also the Lint Center’s IT Security Associate.


Sources:

  1. https://www.us-cert.gov/ncas/alerts/TA13-088A

Image Credit:

  • Flickr

Disclaimer: The opinions expressed by the Lint Center Bloggers and those providing comments are theirs alone, and do not reflect the opinions of the Lint Center for National Security Studies, Inc. or any employee thereof. The Lint Center for National Security Studies, Inc. is not responsible for the accuracy of any of the information supplied by the Lint Center Bloggers.

New McAfee Study on North Korean Malware

800px-North_Korea-Pyongyang-Computer_class_at_a_school-01

According to news reports, there is a new piece to the Dark Seoul puzzle. A new Malware is on the loose and it’s after information on South Korean and U.S. Military secrets. The report does not identify which government networks have been targeted specifically, just that it’s looking for information on the two specific countries. The researchers have found it’s been gathering information since 2009, but the attack wasn’t discovered until March 20, 2013. It’s called Operation Troy, after the historic city in which the Trojan War took place. A significant reference considering how much of a historic impact the war had on Greek literature. Not to mention that the city of Troy fell due to the enemies breaking through with the famous Trojan horse. All familiar references in modern day hacking and hackers love their references.

McAfee Labs stated that the first attack found was named Dark Seoul, in which they discovered the hard drives wiped of critical data. But Operation Troy is a second attack but may have been implemented by the same group. The Malware was programmed to seek out certain keywords in varying versions of ‘military secrets’.

“This goes deeper than anyone had understood to date, and it’s not just attacks: It’s military espionage,” said Ryan Sherstobitoff, a senior threat researcher at McAfee who gave The Associated Press a report the company is releasing later this week. He analyzed code samples shared by U.S. government partners and private customers.”

My advice would be for the McAfee researchers to keep looking, as in the case of the Trojan horse, the city forces were looking in the wrong direction. McAfee already found two parts to this attack, perhaps there are more.


About the Author:

Kana Kennedy is a third year Information Security and Forensics major at Rochester Institute of Technology in Rochester, New York. Her specific interest is in Policy Writing and Procedure.She is also a Lint Center volunteer.


Sources:

  1. http://www.japantimes.co.jp/news/2013/07/09/asia-pacific/malware-hunts-military-secrets-in-south-korea-mcafee/#.UeBfgz9jfq4
  2. https://en.wikipedia.org/wiki/Trojan_War
  3. http://www.lignet.com/ArticleAnalysis/Is-North-Korea-Poised-to-Launch-a-Cyber-Attack-#ixzz2Z8bByzev

Image Courtesy of Wikicommons.

*Disclaimer: The opinions expressed by the Lint Center Bloggers and those providing comments are theirs alone, and do not reflect the opinions of the Lint Center for National Security Studies, Inc. or any employee thereof. The Lint Center for National Security Studies, Inc. is not responsible for the accuracy of any of the information supplied by the Lint Center Bloggers.