Radware: Operation Blackout – get yourself prepared
March 2012 by Radware
Operation Blackout due date is approaching: Anonymous are planning to shutdown the Internet on March 31st , 2012 by attacking all thirteen DNS root servers.
DNS is a critical infrastructure of the Internet as every web transaction involves a DNS service that is provided by the internet service provider. A successful attack against DNS servers will result in halt of all Internet based services.
Anonymous Attacking Tools
In order to achieve the ambitious goal of shutting down the Internet, Anonymous is planning to use a sophisticated reflective amplified DNS flood, generated using a DNS attack tool named "ramp". "ramp" is designed to harness the processing and bandwidth resources of multiple Internet Service Providers (ISPs) as well as other corporate DNS services and to shutdown the DNS core.
Using "ramp", Anonymous advocates will flood their ISPs and other DNS servers with DNS Queries in which the source IP is spoofed and it matches the IP address of one of the DNS root servers (see step 1 in the diagram below). The ISP DNS servers will response to these malicious queries by sending the answer to the spoofed source, i.e to the DNS Root servers (step 2 in the diagram).
The amplified effect of this attack is achieved by generating DNS Reponses that are ten times larger than the original DNS Queries.
Fearing of law-enforcement agencies’ ability to track the physical source of even spoofed source attacks, Anonymous urged their follower to use the TOR anonymized network. However, since the TOR network has limited bandwidth resources, Anonymous must amplify the attack using the “ramp” tool in order to succeed in their mission.
Radware DNS DDoS Mitigation Solution
To successfully mitigate the threats discussed above, DNS attacks mitigation tools must meet very unique challenges. Radware AMS is the industry first DNS DDoS mitigation solution that meets these unique challenges:
Mitigation tools must have deep knowledge of DNS traffic behavior – Radware AMS understands DNS traffic and learns it normal behavior continually, so it immediately identifies abnormal DNS traffic. Moreover, Radware AMS analyzes every field in DNS traffic to identify abnormal packets and to create its real time signatures in high accuracy.
Mitigating high rate of DNS packets – utilizing its DoS Mitigation Engine (DME), a network processor based hardware accelerator, Radware AMS can challenge 2M DNS queries per second and to process up to 12 million packets per second of attack traffic. The attack traffic does not affect Radware AMS capabilities to handle legitimate traffic and it can handle multi-gigabit of legitimate throughput traffic under attack.
Mitigation accuracy – with unique DNS challenges and accurate analyzing of DNS traffic behavior, Radware AMS provides a very accurate distinguish between legitimate DNS traffic and attack-based DNS traffic results in minimal false positives. This enables the service provider to continue and serve its legitimate users even under severe attack.
Provide best quality of experience even under attack – Radware AMS unique architecture that is based on several hardware engines and accelerators guarantees a minimum latency to all processed traffic, and especially to the legitimate traffic. This guarantees a best quality of experience to legitimate internet users even under attack.
A detailed description of Radware’s solution for mitigating DNS attacks can be found here.
Contact Our DNS Advisory Team
ISPs and other DNS service providers should protect themselves from the planned attacks. The threat of effecting Internet services by shutting down local or national ISP DNS servers is more likely to happen than affecting the global DNS Root servers.
Radware created a 24x7 DNS advisory team to help our customers and prospects get themselves ready for Operation Blackout. This team provides a detailed explanation of the threats and how to best prepare your DNS critical infrastructure and your mitigation solutions for the coming attacks.