The largest known hack attack of its kind brought the Internet to a crawl for users all over the world, but don't blame the hackers — the outage all stems from an increasingly vulnerable, decade-old security problem with the "Internet's basic plumbing" that can be easily fixed. A fight between Dutch web hosting service Cyberbunker and a spam-fighting group called Spamhaus resulted in "retaliation" attacks of the distributed denial-of-service (or DDoS) variety on Spamhause's servers, all of which were possible because of what's called an "open DNS." While the hackers only meant to hurt Spamhaus, the method resulted in outages for the rest of the Internet at large — or at least millions of non-hacker users — because Cyberpunker went through a Domain Name Server, a system also known as the Internet's main hub, which takes website names and turns them into the IPs that computers can understand. Specifically, the hack worked like this, according to The New York Times's John Markoff and Nicole Perlroth:
In the latest incident, attackers sent messages, masquerading as ones coming from Spamhaus, to those machines, which were then amplified drastically by the servers, causing torrents of data to be aimed back at the Spamhaus computers.
Because the unusually aggressive hack — 300 billion bits per second were being sent by a network of computers, enough to take down government infrastructure — was initially aimed at a DNS, which hosts a bunch of Internet sites, it clogged traffic for more than just Spamhaus.
This type of scheming is possible in the first place, however, because of one long known hole: "Many large Internet service providers have not set up their networks to make sure that traffic leaving their networks is actually coming from their own users," explain Markoff and Perlroth. Certain DNS providers are "open," meaning they respond to queries from any ISP rather than just "authorized" clients, as cloud based web security service Cloudfare explains in this post this post by Mathew Prince:
The problem is, many people running DNS resolvers leave them open and willing to respond to any IP address that queries them. This is a known problem that is at least 10 years old. What has happened recently is a number of distinct botnets appear to have enumerated the Internet's IP space in order to discover open resolvers. Once discovered, they can be used to launch significant DNS Amplification Attacks.
In a separate post he calls DNS the "scourge of the Internet." This hole has been known for "at least 10 years," note Markoff and Perlroth, but hackers have only started exploiting it for attacks recently. Unfortunately, the method is an increasingly popular one with increasingly powerful attacks, says Prince: "The size of these attacks will only continue to rise until all providers make a concerted effort to close them."
Perhaps more disconcerting than the fact that many major ISPs have a major, gaping flaw, is that once the attacks occur it's very difficult to stop their crippling effects. "You can't stop a DNS flood by shutting down those servers because those machines have to be open and public by default. The only way to deal with this problem is to find the people doing it and arrest them," security researcher Dan Kaminsky told the Times. The good news is there is a longer term solution: Close 'em up. "The best practice, if you're running a recursive DNS resolver is to ensure that it only responds to queries from authorized clients," adds Prince.
This article is from the archive of our partner The Wire.