Hackers Use DNS TXT Records to Amplify DDoS Attacks

Cybercriminals are using DNS TXT records in order to amplify DDoS attacks, according to a security bulletin published on Tuesday by Akamai’s Prolexic Security Engineering and Research Team (PLXsert). Several campaigns observed since October 4 included large DNS TXT records crafted from White House press releases, which PLXsert says attackers can use to amplify responses and direct the resulting traffic to target sites including DNS servers.

PLXsert suspects the attacks are launched using the DNS flooder tool, which Akamai also released a threat advisory for on Tuesday.

Attackers have used large TXT records to attack sites including isc.org and many .gov sites in the past, but TXT records crafted to increase response have only been observed recently. The crafted TXT records observed in the October campaign originated from the guessinfosys.com domain.

The DNS reflection and amplification attack peaked at 4.3Gbps and was targeted primarily at the entertainment industry, though high tech consulting and education companies were also targeted. The attacks spanned anywhere from about 7 to 17 hours, varying in intensity and duration throughout October.

“DNS reflection attacks can be blunted at the network edge. An access control list (ACL) would suffice but only in cases where available bandwidth exceeds attack size,” said Bill Brenner, Akamai Senior Program Manager for Editorial, Information Security Group in a blog post. “Some DNS servers will attempt to retry the response using TCP, but when the request is sent to the target host, no transfer will occur and the attempt will fail.”

Akamai recommends a DDoS cloud-based protection service, such as the one it offers, to defend against the amplified reflection attacks, which the bulletin says use the same tactics as similar campaigns, such as SNMP, SSDP, or CHARGEN.

Regular threat advisories from Prolexic and Akamai’s State of the Internet reports have documented an ongoing increase in DDoS attack frequency, length and duration, as well as new strategies used by cybercriminals.

Industry responses have included bringing more DDoS mitigation solutions to customers, as when CloudSigma began offering Black Lotus protection to its cloud hosting customers last week. Service providers can also keep informed of their options and opportunities through events like a webinar on the changing DDoS landscape presented by the WHIR on Wednedsay afternoon.

by Chris Burt, thewhir.com