It is generally possible to stop the more-common bot-delivered attack by blocking traffic from the attacking machines, which are identifiable. But blocking queries from DNS servers brings problems in its wake. A DNS server has a valid role to play in the workings of the Internet. Blocking traffic to a DNS server could also mean blocking legitimate users from sending e-mail or visiting a Web site.
"That's why this is a nasty attack," said Rob Fleischman, the chief technology officer at Simplicita, a Denver-based security start-up. "The DNS system is an area that is going to be under more attack. It is going to have closer scrutiny and more security."
At the heart of the problem are so-called recursive name servers, which are DNS servers that allow queries from anyone on the Net. There are about 7.5 million DNS servers, and estimates on how many are left wide open to queries range from 600,000 to 5.6 million, according to Vaughn and Evron's report.
"People who are running these open servers need to clean up their act. They are--witting or unwitting, lazy or just don't care--participants in these attacks," Mockapetris said. "They are the Typhoid Marys of the Internet."
To protect their systems, organizations with DNS servers can disable the recursive feature that lets anyone look up addresses. Alternatively, they can manage the server settings so that the recursive feature is available only to insiders. Internet service providers, as well as businesses and individuals, are among those who run DNS servers.
Targets of DDOS attacks could protect themselves using technologies to ward of DDOS attacks, which are sold by vendors including Prolexic Technologies.
In the early days of the Internet, recursive DNS servers served mobile users and cached people's requests for Web site addresses, making the Net scale much better, Mockapetris said. An example of the latter was the day Jerry Garcia died in 1995, he said.
"Everybody was going off to find every Grateful Dead Web site everywhere in the world," he said. "The first person to do that would cache it in the DNS server of their access provider, so the next person would not have to go out to Katmandu to look it up."
But fast forward 10 years, and recursive servers should be something of the past, Mockapetris said. "Now people are looking for ways to attack the network, and the open recursive servers can be used as unwitting cat's paws in a denial-of-service attack," he said. "Once upon a time, everybody just trusted everybody, and you would say, 'Fine, use my server.' Now you have to be more careful about that."
Kaminsky agreed. "If you are a DNS administrator, you shouldn't be providing recursive services to the Internet anymore. It is unfortunately no longer a responsible thing to do," he said.
Increasingly, DNS is going to be used in attacks, experts said, and their administrators can no longer afford to be lazy.
"There are multiple of these kinds of storms that are rising, and service providers and enterprises need to figure out how to make sure that their sea walls, dams and dikes and levees are high enough to withstand them," Mockapetris said.
Play video
There are currently no comments for this post.