In my short time in this industry, I have already experienced the humbling effect that undergoing a DDOS attack has had, on a previously-complacent IT professional. Much as one who has survived a life-threatening illness or event, those who have weathered DDOS attacks tend to exhibit respect for inherent DNS vulnerabilities.
In addition to the security issues outlined previously, the prospect of Distributed Denial of Service (DDOS) attacks has been formally investigated as a potential weapon in the hands of cyber terrorists by the US Dept of Homeland Security, beginning with their first organized simulations in 2006, the PDF document for which is now in the public domain,and which I have attached here : cyberstorm1
This years’ Cyber Storm II looked at the newer “amplified” DDOS attacks . While the specifics of the simulations and the exploits and counter-exploits are naturally available only to the participants (multiple government agencies and private sector technical personnel, here are some of the available results from the “cyber war games.”
I can share with you the following overall result or “take-away” (to use corporate-speak) – the findings of the corporate and government participants in the Cyberstorm II simulations of hypothetical cyber-terrorist attacks organized by the US Dept of Homeland Security. (Of course, smaller-scale versions of DDOS attacks are going on all over the world, even as you read this, typically targeted at specific business competitors, political adversaries, even as blackmail against certain e-commerce sites, etc.)
But here is what many of the corporate IT professionals found:
1) They were simply not aware of the vulnerabilities of their communications systems at the DNS level
2) Several of them simply “gave up” as they attempted to repair or divert damage from attacks on their IP infrastructure, through the DNS “front-door,” while allowing the business traffic they DID want to reach their site and keep the desired business communications going.
Moreover, it became apparent that MULTIPLE systems were dependent on DNS, and were therefore similarly vulnerable.
- The most obvious service affected is a corporate web site and/or intranet web site
- The most common form of communication on the Internet that depends on DNS is electronic mail
- Another fast growing form of communication is Voice over IP (VoIP), which is totally dependent on DNS
- Many companies have a growing army of remote employees that access corporate resources through a VPN gateway, which of course is completely dependent on DNS
- Many corporations utilize in-house and third-party payroll processing systems, again, completely dependent on DNS
- Hospitals, doctors, and insurance companies request/remit payment for services through both public Internet and private networks that are completely dependent on DNS
- Hospitals and doctors many times depend on medical imaging and document sharing systems across the Internet; totally dependent on DNS
With hundreds of name-servers comprising 14 Quad Gig-E nodes, with 4 ISP connections per location, spanning 5 continents UltraDNS and Neustar have invested over $50 Million in their global network of DNS name-servers. That network is currently operating at between 8% to 12% of capacity, essentially creating an average of 90% “headroom” which essentially dilutes the effects of DDOS attacks on their customers by re-distributing those concentrated streams of traffic to their nodes around the world, alleviating the load on specific name-servers.
In conjunction with their proprietary resolver code, UltraDNS have thus created the world’s single most effective existing DDOS-mitigation service to date. cyber-storm-II-expertise
[...] were overloaded and users couldn’t get where they were trying to go… the first Denial of Service phenomenon was not a malicious attack, but that didn’t keep hackers from duplicating the [...]