Edu.za being used to send insane amounts of DDoS attack traffic
Domain Name System (DNS) servers on the edu.za domain are being exploited to launch massive distributed denial of service attacks (DDoS), according to a new report from Nexus Guard.
Nexus Guard’s second-quarter Threat Report for 2019 stated that DNS amplification attacks have spiked more than 1,000% compared with Q2 2018. DNS amplification attacks accounted for 65% of DDoS attacks last quarter.
It attributed this rise to the adoption of Domain Name System Security Extensions (DNSSEC) without proper precautions in place to mitigate DNS-amplified DDoS attacks.
“DNSSEC was designed to protect applications from using forged or manipulated DNS data, such as that created by DNS cache poisoning. The extra security DNSSEC provides relies on a resource-intensive data verification process using public keys and digital signatures,” Nexus Guard explained.
In other words, in trying to improve the security of DNS, the potency of DNS-amplified attacks have been increased, Nexus Guard said.
Of particular concern for South Africa is the fact that Nexus Guard ranks the edu.za domain as one of the most abused domains for DNS Amplification attacks, second only to 1×1.cz.
Nexus Guard reported that edu.za had 13,524,481 spoofed DNS requests last quarter, accounting for 9.36% of all DNS abuse.
A table summarising the ten most frequently abused domains from the Nexus Guard report is reproduced below. It also shows the number of DNS requests tracked by Nexus Guard (“Query Count”).
Domain | Query Count | Percentage | Included DNSSEC |
---|---|---|---|
1×1.cz | 16,605,666 | 11.49% | Yes |
edu.za | 13,524,481 | 9.36% | Yes |
aids.gov | 12,640,652 | 8.75% | Yes |
isc.org | 12,541,244 | 8.68% | Yes |
eftps.gov | 11,423,694 | 7.91% | Yes |
mz.gov.pl | 10,811,274 | 7.48% | Yes |
paypal.com | 9,403,514 | 6.51% | Yes |
leth.cc | 9,118,943 | 6.31% | Yes |
dfafacts.gov | 7,299,000 | 5.05% | Yes |
nel.gov | 7,212,696 | 4.99% | Yes |
Other | 33,884,389 | 23.45% | — |
To illustrate the impact of DNSSEC on the effectiveness of DNS amplification attacks, Nexus Guard showed that DNS servers on aids.gov that were exploited had an amplification power of 4.53X before DNSSEC. With DNSSEC, attackers can now amplify their attack traffic by 45.28X.
“Clearly, DNSSEC is a very cost-effective resource for attackers seeking to reflect amplification attacks. While intended to be a patch to DNS poisoning, DNSSEC has had the unintended consequence of creating yet another DDoS vulnerability,” Nexus Guard said.
It provided the following graph to show the dramatic impact of DNSSEC on amplification power. For edu.za, the amplification power went from under 4X without DNSSEC, to nearly 50X with DNSSEC.
Nexus Guard’s report also revealed that most DDoS attacks originate in the United States, followed by China. It also stated that most attacks last 90 minutes or less.
“The quarterly average was 182.9 minutes, while the longest attack lasted 28 days, 1 hour, and 11 minutes,” Nexus Guard said.
Attacks mainly originate from hijacked Windows and iOS devices that have been yoked together in a botnet.
Of the attacks it tracked, Nexus Guard said that 48.28% of the traffic came from Windows OS computers and servers, and 20.48% came from iOS-powered mobile devices.
DNS amplification attacks
DNS Amplification attacks, also referred to as DNS reflection, use improperly configured Domain Name System (DNS) servers to flood computers with network traffic. If the flood of bogus traffic is able to overwhelm the computer, it can’t respond to legitimate requests and appears offline to anyone on the Internet trying to reach it.
When the target computer is a web server or critical network infrastructure, such a DDoS attack causes an outage.
Reflection attacks work by requesting information from a server on the Internet, but then tricking it to send its response to the target computer the attacker wants to flood.
DNS servers are a popular choice for such attacks because they are critical Internet infrastructure designed to field millions of requests per second. They are also usually connected to high-bandwidth links to enable them to deal with large amounts of traffic.
Most importantly, attackers can often cause a DNS server to generate a response that is several times larger than their spoofed request. In other words, attackers use DNS servers to amplify their attack bandwidth. Hence the term: DNS Amplification.