Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Nominum: 24 Million Home Routers Exposing ISPs to DDoS Attacks

Even Internet service providers that go to great lengths to protect their networks are vulnerable.

Tens of millions of home routers are exposing Internet service provider networks to DNS-based distributed denial-of-service (DDoS) attacks, according to new research from DNS software and security provider Nominum.

According to estimates from the company, more than 24 million home routers on the Internet have open DNS proxies that expose ISPs to DNS-based DDoS attacks. In February alone, more than 5.3 million of these routers were used to generate attack traffic, while in January, more than 70 percent of total DNS traffic on one provider's network was associated with DNS amplification.

In a DNS amplification attack, publically accessible open DNS servers are used to flood a system with DNS response traffic.

"The attacks are difficult to combat because there are still many places in the world where it is possible for attackers to spoof IP addresses," says Bruce van Nice, director of product marketing at Nominum. "Even providers who go to great lengths to protect their networks can be exposed, because not everyone is as diligent as they are. DNS is also a critical and universally used protocol, so network-based filters can be very unworkable due to the complexity they introduce.

(Image: Cyber Inz)
(Image: Cyber Inz)

"The last problem," he tells us, "is home routers are purchased and managed by consumers. Providers may have no control over them, so it is very difficult to change their configuration to remove problems such as this. The best way to address the problem is to make DNS servers smarter -- equip them with fine-grained capabilities to manage malicious traffic while ensuring legitimate traffic is always permitted."

DNS has emerged as one of the most popular protocols for launching amplification attacks, but it is not the only one. NTP amplification attacks are common as well. According to a report from Incapsula, now part of Imperva, the number of NTP amplification attacks jumped significantly during January and February. Still, DNS amplification represented nearly 35 percent of the large-scale events (+20 Gbit/s) covered in 2013 and early 2014.

"DNS attacks are nothing new; it’s one of the most common high-volume approaches, and it’s not surprising that they’re still growing in frequency," says Shawn Marck, chief security officer at Black Lotus. "We’re seeing a rise in DrDoS [distributed reflection denial-of-service] attacks, a strategy that frequently targets DNS daemons, and far too many people don’t recognize the need to protect DNS servers on top of their web servers or other networks.

"DNS servers have a very poor configuration, making them easy targets for spoofed sources resulting in large amplification attacks. ISPs that are dealing with these DNS amplification attacks need to consider the fact that the DNS servers are just a small part of their overall network. To ensure they’re properly protected, they need to invest in security measures that cover their networks as a whole, not just web or DNS servers. This is the only means to keep your data safe against traditional DDoS as well as the DNS and NTP amplification attacks, which we can all agree aren’t going anywhere anytime soon."

Home and small-business routers are a huge vulnerability, according to Tod Beardsley, engineering manager at Rapid7.

"We have published dozens of Metasploit modules that exercise dozens of vulnerabilities that range from traditional buffer overflows to default misconfigurations to vendor-installed back doors, and yet still, today, there is no normal, easy way to get updates for these things," says Beardsley. "Because of this total lack of patching, vulnerabilities of home access points are extremely long lived. Your computers and phones all have some kind of scheduled update service that's at least possible, but the router -- the thing that you're most reliant on for secure and performant web-surfing -- is totally lacking in this regard. It's very frustrating."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/8/2014 | 2:06:33 PM
Re: DNS Amplification
Thanks for checking with Nominum, Brian and also for the link on DNS amplification.
Bprince
50%
50%
Bprince,
User Rank: Ninja
4/8/2014 | 1:22:44 PM
DNS Amplification
Hello all. Thanks for the comments. As far as the routers, the DNS data Nominum looked at doesn't tell them anything about a particular brand of routers. Here is a good resource for information on DNS amplification from US-CERT: https://www.us-cert.gov/ncas/alerts/TA13-088A

Brian
scotty21
50%
50%
scotty21,
User Rank: Apprentice
4/8/2014 | 8:55:02 AM
Because home routers are not secured?
Is the article saying that home routers are vulnerable because they are not secured?  What is the vulnerability to mitigate?  Open networks at businesses or schools for that matter would need to be secured.  Good luck with that.  So I have answered my own question I believe.  The author has it right....because these networks will never be secured at the entry level, the DNS must be protected.  Good luck with that also when we give over ICANN.
PBURTON943
50%
50%
PBURTON943,
User Rank: Apprentice
4/7/2014 | 12:37:41 PM
Re: Which brands?
Good question.  For most, virtually all home users, the router is a "set it and forget it" device.  And exactly how do manufacturers notify their customers to update their firmware?  Facebook post? :)
PBURTON943
50%
50%
PBURTON943,
User Rank: Apprentice
4/7/2014 | 12:37:37 PM
Re: Which brands?
Good question.  For most, virtually all home users, the router is a "set it and forget it" device.  And exactly how do manufacturers notify their customers to update their firmware?  Facebook post? :)
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/7/2014 | 12:32:51 PM
Re: Which brands?
That a good question, Phil. Are these just older moderls, or have newer ones also been identified. 
philburton
100%
0%
philburton,
User Rank: Apprentice
4/4/2014 | 4:45:13 PM
Which brands?
24 million routers?  Which vendors or models?  Can someone configure a router to fix this vulnerability?

 

Phil
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.