Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Dark DDoS: hacker tools and techniques the challenges faced


In 2017 has the cyber landscape changed? What are the objectives of hackers? What are their methods? The variety of attacks used has increased, so how can you mitigate the risk?

Hackers can have many different possible objectives. For instance, they may aim to interrupt business, corrupt data, steal information or even all of these at the same time.

To reach their goals, they continuously look for any vulnerability and will use any vulnerability to attack. They’re getting increasingly smarter and always looking for more, faster and easier ways to strike.

Furthermore, their attacks are no longer designed simply to deny service but to deny security. The initial service denial attack is often used as a camouflage to mask further and potentially more sinister activities.

These include data theft, network infiltration, data exfiltration, networks being mapped for vulnerabilities, and a whole host of other potential risks.

These types of attacks are often referred to as ‘Dark DDoS’ because of initial smokescreen attack which acts to distract organisations from the real breach that’s taking place.

In a large proportion of recent data breaches, DDoS (distributed denial of service attacks) have been occurring simultaneously as a component of a wider strategy meaning hackers are utilising this technique in a significant way.

According to a report by SurfWatch Labs, DDoS attacks rose 162% in 2016. SurfWatch Labs claims this is due to the increasing use of IoT devices and the attacks on the KrebsOnSecurity.com and on domain name provider, Dyn believed to be some of the biggest DDoS attacks ever recorded.

Last year, France was also hit by one of the largest DDoS attacks when hosting company, OVH, was targeted through 174,000 connected cameras.

Today’s hackers have developed a high variety of DNS attacks that fall into three main categories:

Volumetric DoS attacks

An attempt to overwhelm the DNS server by flooding it with a very high number of requests from one or multiple sources, leading to degradation or unavailability of the service.

Stealth/slow drip DoS attacks

Low-volume of specific DNS requests causing capacity exhaustion of outgoing query processing, leading to degradation or unavailability of the service.


Attacks exploiting bugs and/or flaws in DNS services, protocol or on operating systems running DNS services.

Often DNS threats are geared towards a specific DNS function (cache, recursive & authoritative), with precise damage objectives.

This aspect must be integrated into the DNS security strategy to develop an in-depth defence solution, ensuring comprehensive attack protection.

The list below of the most common attacks aims to emphasise the diversity of the threats and details the extent of the attack surfaces:

Volumetric attacks Direct DNS attacks

Flooding of DNS servers with direct requests, causing saturation of cache, recursion or authoritative functions. This attack is usually sent from a spoofed IP address.

DNS amplification

DNS requests generating an amplified response to overwhelm the victim’s servers with very large traffic.

DNS reflection

Attacks using numerous distributed open resolver servers on the Internet to flood victim’s authoritative servers (usually combined with amplification attacks).


Flooding of the DNS servers with non-existing domains requests, implying recursive function saturation.

Stealth/slow drip DoS attacks Sloth domain attacks

Attacks using queries sent to hacker’s authoritative domain that very slowly answers requests just before the time out, to cause victim’s recursive server capacity exhaustion.

Phantom domain attack

Attacks targeting DNS resolvers by sending them sub-domains for which the domain server is unreachable, causing saturation of cache server capacity.

Random subdomain attack (RQName)

Attacks using random query name, causing saturation of victim’s authoritative domain and recursive server capacity.

Exploits Zero-Day vulnerability

Zero-day attacks take advantage of DNS security holes for which no solution is currently available.

DNS-based exploits

Attacks exploiting bugs and/or flaws in DNS services, protocol or on operating systems running DNS services.

DNS tunnelling

The DNS protocol is used to encapsulate data in order to remotely control malware or/and the exfiltration of data.

Protocol anomalies

DNS Attacks based on malformed queries, intending to crash the service.

DNS cache poisoning

Attacks introducing data into a DNS resolver’s cache, causing the name server to return an incorrect IP address and diverting traffic to the attacker’s computer.

The DNS landscape security is continuously moving and DNS attacks are becoming more and more sophisticated, combining multiple attack vectors at the same time.

Today’s DDoS attacks are almost unrecognisable from the simple volumetric attacks that gave the technique its name. In 2017, they have the power to wreak significant damage as all those affected by the Dyn breach last year will testify they are far more sophisticated, deceptive and frequent.

To keep ahead of these threats, today’s security solutions must continuously protect against a family of attacks rather than a limited list of predefined attacks that must be frequently updated or tuned.


Viewing all articles
Browse latest Browse all 12749