Massive DDoS Assault Launched From Anti-DDoS Servers

US security firm Incapsula has reported a massive DNS distributed denial-of-service (DDoS) attack on one of its customers – ironically, launched from the servers of two providers of anti-DDoS services.

The attack, far from being an isolated incident, is part of a dangerous emerging trend, according to the company – that of using DNS floods, which it says can bring down even highly resilient networks.

Growing trend

The company said the attack, carried out against an online gaming firm’s network, originated from networks in China and Canada.

“We were surprised to learn that the malicious requests were originating from servers of two other anti-DDoS service providers – one based in Canada, the other in China,” the company said in a statement. “All told, these were hitting our network at a rate of 1.5 billion DNS queries a minute, amounting to over 630 billion requests during the course of the seven-hour long DDoS attack.”

Incapsula said the attack was similar to others carried out against its own network, as well as DNS floods that have recently affected companies including UltraDNS.

“We are now convinced that what we are seeing here is an evolving new trend,” the company stated.

The attack peaked at approximately 25 million packets per second, Incapsula said. It was carried out by attackers who used the powerful server infrastructure intended for anti-DDoS activities to send out the attack traffic. The parties involved were dropped from the services after Incapsula’s investigation.

“This is the first time we encountered ‘rogue’ scrubbing servers used to carry out large-scale DDoS attacks,” Incapsula stated. “This fact, combined with the inherit danger of non-amplified DNS floods, is what makes these attacks so devastatingly dangerous. DDoS protection services, with their proximity to the Internet’s backbone and wide traffic pipes, are specifically designed for high capacity traffic management. This, combined with the fact that many vendors are more concerned with ‘what’s coming in’ as opposed to ‘what’s going out’, makes them a good fit for hackers looking to execute massive non-amplified DDoS attacks.”

Defence difficult

DNS floods are relatively rare, because they are not amplified, meaning that massive computing resources are required to carry them out. That contrasts with the more common DNS amplification attacks, which are “asymmetrical”, meaning that a relatively small network of computers can launch a large-scale attack.

However, DNS amplification attacks are also relatively easy to defend against, Incapsula said.

“This isn’t the case for seemingly legitimate DNS flood queries, which cannot be dismissed before they are individually processed at the server level,” the company stated. “DNS floods have the potential to bring down even the most resilient of networks. Thankfully, this potential is usually capped by the capacity of the attacker’s own resources.”

That is why the recent attack is so worrying, according to Incapsula – it demonstrates that, in fact, such high-powered resources can be easily available to attackers in the form, ironically, of anti-DDoS server networks.

“In this case, the security vendors played right into the hackers’ hands, by equipping them with high-capacity resources, able to generate billions upon billions of unfilterable DDoS requests – enough to pose a serious threat to even to the most overprovisioned servers,” Incapsula wrote.

Last month Blizzard, maker of online games including Diablo and World of Warcraft, was affected by DDoS attacks in Europe.

One third of UK companies recently surveyed by Neustar say they were hit by DDoS attacks last year, that resulted in estimated losses of £240,000 per day. The majority of firms said they were ill-equipped to deal with such attacks.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • I'm sceptical that the anti-DDoS networks protecting the gaming sites were the real source. I've seen cases of mistaken identity involving very similar sites before (see for example "Looking for packets from three particular subnets" on the SANS diary). A Distributed Reflected Denial of Service attack (DRDoS) will have a spoofed source IP, whether it is DNS-based (from port 53), other UDP (eg NTP), or TCP SYNs (often from port 80 or known server port), so the origin botnet can only be found by large-scale analysis of network flows and Ethernet headers or honeypots.

    The solution is for ISPs to do ingress filtering (BCP-38).

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago