It was the largest online attack ever reported. Over the course of the past week, servers belonging to an international non-profit company called The Spamhaus Project, which fights email spammers, were inundated with up to 38 gigabytes of traffic each second. That's about 10 DVDs' worth of data. The company ground to a halt, and another firm that tried to come to Spamhaus's online aid was also drawn into the battle. News reports suggested the onslaught was so big that the internet itself slowed down during the worst of it. Such accounts may have been overblown, but in the aftermath it has become clear that the attackers can exploit vulnerabilities in just about anything ? from software to the infrastructure of the internet itself ? to devastating effect.
In the case of the Spamhaus ambush, the attackers exploited open domain name server (DNS) resolvers, the address books of the internet. The majority of internet users only ever ask these internet address books to handle simple requests like, "Take me to www.google.com". But a lot of DNS software comes with default settings that call for it to answer many other questions, like making sure that a website is what it says it is. Such requests can massively boost the amount of traffic that the DNS resolver returns. "If you make a request for DNS security labels or extensions, the response is very large," says Jared Mauch of NTT America, who is based in Ann Arbor, Michigan .
The attackers query DNS resolvers en masse. In the process, they fake their own IP addresses, replacing them with the address of the target. This technique, called IP spoofing, results in a torrent of the DNS responses all flooding into the target at once.
Next big thing
There are fixes, but networks have been slow to adopt them. One initiative, the Open DNS Resolver Project is set up to encourage people to make the adjustments: simply changing the settings on software and equipment is enough. But even if operators do shore up DNS resolvers, there are signs that attackers are already moving on to the next big exploit.
Mike Smith, director of the customer security internet response team at Akamai in Cambridge, Massachusetts, says he has been dealing with a hole in web-based content-management systems like Wordpress and Joomla which lets attackers use other companies' hosting platforms to launch their attacks.
"These content-management systems are basically not managed," Smith says. "People often have Wordpress and Joomla installed on their servers, and they don't even know that they have it. Attackers are taking over these applications."
Because company servers have faster internet connections than home computers, the infected software ? which forms a network known as the BroBot ? can be taken over and made to launch highly powerful attacks. "Those servers have 100 megabits of internet capacity each. They can send a lot of traffic very quickly," he says.
If you would like to reuse any content from New Scientist, either in print or online, please contact the syndication department first for permission. New Scientist does not own rights to photos, but there are a variety of licensing options available for use of articles and graphics we own the copyright to.
Have your say
Only subscribers may leave comments on this article. Please log in.
Only personal subscribers may leave comments on this article
Subscribe now to comment.
All comments should respect the New Scientist House Rules. If you think a particular comment breaks these rules then please use the "Report" link in that comment to report it to us.
If you are having a technical problem posting a comment, please contact technical support.
madonna halftime show linsanity the alamo anencephaly tesla model x lou gehrig toby mac
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.