Hacked Attack of the DDoS Protection Services

DDoS attacks sabotage corporate websites to make them unavailable to legitimate visitors. Researchers at Incapsula, a cloud-based website security and performance service, said DDoS attacks are getting stronger, faster, bigger and smarter. 

And here's the really scary part: The very DDoS protection service you contracted to guard your website just might be responsible for destroying your site — or someone else's site.

Like a zombie apocalypse that transforms cherubic kindergarten teachers into rapid killers — or an angry 50-foot tall woman — nothing is more frightening than the unexpected. The team at Incapsula discovered that first hand recently when they traced yet another DNS DDoS attack on a B2B business ... and found it originated with two DDoS protection services.

Sneak Attack

Marc Gaffan, Incapsula’s co-founder and Chief Business Officer, told CMSWire today that the DNS DDoS attack was enormous, peaking at 25 million packets per second (Mpps). "It stood out to Incapsula’s researchers because many of the DNS queries held non-spoofed IP data, which is typically uncommon," he explained.

"Interestingly enough, in this specific case, the DNS queries held non-spoofed IP data that allowed us to uncover the attacker’s true points of origin. When we did, we were surprised to learn that the malicious requests were originating from servers of two other anti-DDoS service providers – one based in Canada, the other in China. All told, these were hitting our network with 1.5 billion DNS queries a minute, amounting to over 630 billion requests during the course of the seven hour DDoS attack."

If data isn't your first language, just remember this: the attack generated a huge amount of traffic.

2014-12-May-DDoS-attack

We've told you about several potentially serious DDoS attacks recently, including one in which hackers used a novel technique to get thousands of online video viewers to unwittingly bombard a B2B website with junk traffic. Although early bets were on YouTube.com and Xvideos.com, the attack was ultimately traced to Sohu.com, China’s eighth largest website and the 27th most visited website in the world.

Then we explained how hackers can apparently exploit vulnerabilities in Facebook and Google to perform DDoS attacks on target websites.

Now this.

With multiple reports coming from different directions, and with several large scale attacks on our own infrastructure, we are now convinced that what we are seeing here is an evolving new trend — one that can endanger even the most hardened of network infrastructures," Gaffan said.

The Threat Landscape 

There are basically two types of DDoS attacks: The first takes place at the application layer (Layer 7) and the second at the network layer (Layer 3 and 4).

At the network layer, attacks bring down a website or SaaS application by overwhelming network and server resources, causing downtime and blocking responses to legitimate traffic. Application-layer attacks target applications, making them especially worrisome for SaaS application providers. These attacks mimic legitimate user traffic to bypass barebone anti-DDoS solutions and crash the web server.

In the past 15 months or so, Incapsula researchers report a rapid increase in network DDoS attack volumes. Almost one in every three attacks today exceed 20 Gigabits per second (Gbps), which was the peak attack volume just a year ago. Some exceed 100 and 200 Gbps.

Blame it on new attack methods (NTP Amplification and Large SYN floods) and also by the development of Internet and specifically cloud infrastructures.

In its annual threat landscape report, issued earlier this year, Incapsula noted "the perpetrators are looking to raise the stakes even higher by introducing new capabilities, many of which are specifically designed to abuse the weaknesses of traditional anti-DDoS solutions." 

In this latest attack, Incapsula notified both anti-DDoS vendors, which both acknowledged the facts of the attack and dropped the responsible parties from their services.

Gaffan noted that malicious misuse of security solutions is "anything but new." However, he added, "this is the first time we encountered 'rogue' scrubbing servers used to carry out large-scale DDoS attacks. This fact, combined with the inherit danger of non-amplified DNS floods, is what makes these attacks so devastatingly dangerous."

Tech Talk

In a blog post released today, Incapsula emphasized the method employed in this recent attack — DNS UDP Flood — is not the same as DNS Amplification. The post explains:

When hearing about DNS DDoS, most people will probably think of the now common DNS amplification attacks. However, DNS floods are distinctively different — both in their methods of execution and in the type of grief they aim to deliver. On one hand, DNS amplification is an asymmetrical DDoS attack which allows the attacker to initiate large-sized DNS responses to the target’s server. The offender’s goal here is to achieve network saturation by continuously exhausting the bandwidth capacity of its target. On the other hand, DNS floods are symmetrical DDoS attacks, whose goal is to exhaust server-side assets (e.g., memory or CPU) with a multitude of UDP requests, generated by scripts running on several compromised botnet machines."

The most important difference between the two attacks is in the quality of the offender’s resources, the post continues.

With DNS amplification, the effectiveness of an attacker’s own resources is increased by anywhere from 300 percent to 1000 percent, which means that large attacks could be initiated by relatively small botnets. On the other hand, with DNS floods there is no multiplier to speak of at all. This means that, in order to generate a DNS flood at the rate of 25Mpps, the offender needs access to an equally powerful botnet infrastructure ..."

Yep: DDoS protection services.

As the Incapsula team noted, with their proximity to the Internet’s backbone and wide traffic pipes, these services are specifically designed for high capacity traffic management. Incapsula warns:

This, combined with the fact that many vendors are more concerned with 'what’s coming in' as opposed to 'what’s going out,' makes them a good fit for hackers looking to execute massive non-amplified DDoS attacks. Besides providing the ‘poetic twist’ of turning the protectors into aggressors, such mega-floods are also extremely dangerous."

What to Do

Remember the old adage about prevention being worse than the cure? That seems to apply here. Gaffan said security vendors played right into the hackers’ hands, by equipping them with high-capacity resources, able to generate billions upon billions of unfilterable DDoS requests — enough to pose a serious threat to even to the most over provisioned servers.

So what do you need to know?

If you're a DDoS service provider that rents out high-powered servers, make sure you have them well protected. In this recent case, hackers used these high-powered servers like big canons to fire at other targets.

"If you have weapons at home, you should keep them locked up in a cabinet so they don't fall into the wrong hands. Same logic applies if you have high-powered servers. Make sure you only rent them to legitimate users and secure them well enough so they are not used for unlawful acts," Gaffan said.

If you have web properties that are important to your business — and, really, isn't that all websites — then have a DDoS mitigation service in place. But select your provider carefully. "Obviously you want to go with a reputable service," Gaffan said. "Some providers rent you hardware and host your site on their infrastructure. Others allow you to host your own site but offer protection and mitigation services. There are different types. Before you hire anyone, be aware of the differences and select your provider with care."