Amplified DDoS Attack Hits Small ISP

SANS NewsBites            February 6, 2009               Vol. 11, Num. 10

–Amplified DDoS Attack Hits Small ISP
(February 4 & 5, 2009)
A new twist in DDoS (distributed denial of service) attacks has come to light after the operator of a pornographic web site used it last month to try to take down an ISP that hosts a competitor’s site.  The attack is being called DNS Amplification and allows a relatively small number of PCs to generate a significant amount of network traffic. The spoofed query causes the DNS servers to generate unusually large replies, hence the name DNS Amplification.  Botnet operators are reportedly updating their networks, adding tools designed to launch this sort of attack.
[Editor’s Note (Ullrich): The attack is not new, and has been used for a couple years now. However these recent attacks have been on a larger scale. We just finally got rid of smurf amplifiers and now we need to figure out how to ensure best practices are used to configure DNS servers so they are not abused as reflectors as in this attack.
(Donald Smith): This type of attack was actually used before the “large text record” dns reflective attacks.  Preventing spoof source addresses from entering or leaving your network is the only long term solution to this class of attacks.
(Honan): More details on how this attack works are available from a paper written by Gadi Evron and Randal Vaughn at ]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.