You'll see this message when it is too late (Information Policy) by Josephine Wolff

You'll see this message when it is too late (Information Policy) by Josephine Wolff

Author:Josephine Wolff [Wolff, Josephine]
Language: eng
Format: epub
Tags: online, networks, data, hacking, computer systems, Sony, IRS, cybersecurity
ISBN: 9780262038850
Publisher: The MIT Press
Published: 2018-10-19T07:00:00+00:00


Playing Defense

Despite the record-setting levels of traffic that Stophaus managed to direct at Spamhaus, Cloudflare was largely able to mitigate the DDoS and keep Spamhaus’s servers up and running. McDonagh was astonished; “i don’t understand this,” he wrote in the group chat on March 19, “how can cloudflare take 100gbps … and latency is not even increased by 1ms[?]” Relying on DNS reflection traffic for a DDoS attack changes the defensive landscape—and not just because of the potential size of the attack. In a more traditional DDoS attack (that does not make use of DNS reflection traffic), there are relatively few defensive options. The target can filter traffic it receives (or hire someone else like Cloudflare to do it for them) and try to identify malicious packets by detecting high-volume senders or suspicious patterns. Alternatively, the owners of the compromised machines sending that malicious traffic may notice (or be informed of) the large volume of outbound traffic and patch their systems. Moving earlier up the attack chain, it may be possible to go after the actors renting out botnets, but much of the defensive responsibility falls on the targets and occasionally on the machines directly bombarding them with traffic.

By introducing DNS resolvers as an intermediary for sending that traffic, attackers can greatly increase the volume of such attacks, but they also create a new defensive opportunity for the DNS operators who run these resolvers. These operators can restrict which queries their DNS resolvers respond to, so that queries from unknown or unauthorized machines are ignored and the resolvers are no longer open. DNS operators can also “rate limit” their resolvers, rather than closing them completely to the public, so that they only respond to a set number of queries in a certain time period and therefore cannot be used to generate as much traffic directed at a single server. Following the Spamhaus attacks, the Open Resolver Project publicly released a list of millions of open resolvers online in hopes of pressuring their operators to shut them down or further restrict them, highlighting the potential power of this group of intermediaries.

Besides introducing a new class of defensive intermediaries in the form of the DNS operators, DDoS amplification attacks also make it easier for targets and companies like Cloudflare to distinguish between malicious and non-malicious traffic. In standard DDoS attacks, both types of traffic may look very similar, like people trying to connect to a particular website or server. But in DNS amplification attacks the malicious traffic is likely to be of a very specific type (large DNS records) that can be recognized and dropped without affecting legitimate users. Another type of attack traffic involved in the DDoS attack directed at Spamhaus was generated by an ACK reflection attack, in which the compromised machines initiated TCP sessionsc ostensibly from a Spamhaus IP address and the receiving servers therefore responded to Spamhaus with an ACK (acknowledgment) connection, acknowledging receipt of the session initiation. This type of DDoS does not have the amplification effect



Loading...
Download



Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.