What does running the DNS infrastructure of a major ISP have in common with operating an online gambling site based in China? If you are running DNS operations of any scale then you are almost certainly participating in a world wide racketeering campaign specifically targeting online gambling sites, many of which operate out of China in a quasi-legal limbo. Attackers are using the threat of DDoS to extort payments from these operations. Those that don’t pay up are subjected to crippling DDoS attacks spanning multiple vectors that often include DNS as a primary vector.
Cloudmark became aware of these attacks while analyzing DNS traffic at a major ISP. The customer was complaining of an unusually high load on their name servers and asked Cloudmark to investigate. What we found under the surface was a thriving black market operation supported by the same DNS infrastructure that we rely on for day-to-day operations. We discovered that attackers were directing a botnet of compromised machines to flood DNS lookup requests through the ISP’s recursive name servers, attempting to resolve highly randomized non-existent sub-domains of their victim’s domains. Almost all of the requests made by the ISP’s name servers were timing out − a good indication that the attack was successfully overloading the victim’s name servers to the point where they became unresponsive.
Considering that this attack was taking place at other ISPs around the world, all of them were simultaneously sending the same flood of unanswerable requests − creating a powerful tool if found in the wrong hands. Further, the victims of this type of attack are not just limited to shady overseas operations − they could just as easily be well-known brands in Europe or America. Cloudmark’s new Security Platform for DNS can protect your DNS infrastructure from these types of attacks and other vulnerabilities whether you are on the receiving end or just an innocent bystander. Learn more by reading our new whitepaper on DNS resource exhaustion.