Post Wed Mar 29, 2006 11:20 am

DNS Servers Do Hackers Dirty Work

Story from

In a twist on distributed denial-of-service attacks, cybercriminals are using DNS servers--the phonebooks of the Internet--to amplify their assaults and disrupt online business.

Earlier this year, VeriSign experienced attacks on its systems that were larger than anything it had ever seen before, it said last week. The Mountain View, Calif.-based company, which helps companies do business on the Web, discovered that the assaults weren't coming from commandeered "bot" computers, as is common. Instead, its machines were under attack by DNS (domain name system) servers.

"DNS is now a major vector for DDOS," Dan Kaminsky, a security researcher said, referring to distributed denial-of-service attacks. "The bar has been lowered. People with fewer resources can now launch potentially crippling attacks."

Just as in any DDOS attack, the target system--which could be a victim's Web server, name server or mail server--is inundated with a multitude of data coming from multiple systems on the Internet. The goal is to make the target unreachable online by flooding the data connection or by crashing it as it tries to handle the incoming data.

Such attacks were once the tool of bored teenagers who got a kick out of seeing Web sites crumble. But these days, DDOS attacks are sometimes used by criminals looking to extort money from online businesses--especially those on the margins, such as gambling sites and the adult-entertainment industry.

"We're past the era where denial of service simply happens because kids are looking for a good time," Kaminsky said.

Unlike a commandeered PC, a DNS server is a valid and good citizen of the Internet. The systems play a critical role in connecting Web users, mapping text-based domain names such as to the numerical IP addresses used by computers.

In this new kind of attack, an assailant would typically use a botnet to send a large number of queries to open DNS servers. These queries will be "spoofed" to look like they come from the target of the flooding, and the DNS server will reply to that network address.

Using DNS servers to do their dirty work offers key benefits to attackers. It hides their systems, making it harder for the victim to find the original source of the attack. But more important, reflecting an attack through a DNS server also allows the assault to be amplified, delivering a larger amount of malicious traffic to the target.

For full story: ... =nefd.lede