ITBusiness.ca

Configuring DNS servers to help defend networks from botnets, distributed denial of service attacks

The so-called amplifier attack sends counterfeit requests for information to Domain Name System (DNS) servers, causing them to transmit larger amounts of data to the server that is the victim of the attack.

The term amplifier refers to the fact that the amount of data hitting the victim is substantially greater than that transmitted by the machines initiating the attack, explains Robert Fleischmann, chief technology officer of Simplicita, a Denver-based startup that focuses on fighting the computer “botnets” that generate such attacks.

Distributed denial of service attacks usually depend on unsuspecting users’ computers being turned into “zombies” that, as part of these botnets, bombard their victims with unwanted data traffic. Such botnets can also be used to spread viruses and worms and to generate spam.

Security firm Sophos Inc. reported earlier this year that the Clagger-I Trojan horse, which spreads using botnets, made its top 10 list of malware two months running.

Peter Cresswell, national security practice manager at Bell Business Solutions Inc., says some 13 million distinct botnets are now active, each infecting on average about 36,000 machines. Since these botnets send out large volumes of spam as well as denial of service attacks, Cresswell says, “I think that’s the core of the (security) problem.”

But what can you do about it?

The solution to the amplifier attack, Fleischmann says, is for DNS servers to be configured to detect telltale signs of the attack — large numbers of requests for data to be sent to a single server, and the fact that the requests don’t come from the server that supposedly needs the information. Simplicita provides software to help service providers do this.

For corporate network managers, the answer is basically vigilance. The standard security measures — firewall, intrusion detection, antivirus, monitoring for suspicious network traffic, and of course end-user education — all help. There is also specialized software aimed at detecting DDOS attacks and blocking them or alerting network administrators. Larry Lemieux, assistant director of IT support at Ryerson University in Toronto, says Ryerson is evaluating such software now.

Large organizations are generally aware of DDOS attacks and take appropriate precautions, Fleischmann says. Smaller businesses are less likely to understand the issue. They are also less likely to be targeted, but as Fleischmann points out, many small businesses rely on outside providers to host their Web sites and other functions, so they can be hurt by attacks aimed at other customers of the same provider or at the provider itself.

Exit mobile version