Open recursive DNS servers are increasingly seeing use in DNS amplification attacks, which is an effective distributed denial of service (DDoS) attack.
The problem usually lies in the misconfiguration of these servers, which allows an attacker to send a DNS name lookup request to it with the source address spoofed to be the victim’s address. When the DNS server sends the DNS record response, it sends out to the victim instead. Huge numbers of these types of requests sent by bots can produce a huge amount of traffic with little effort.
After US-CERT issued a warning about this type of attack, a good deal of administrators jumped into action and reconfigured their servers to prevent that type of attack. That has not stopped attackers, though.
While going through underground forums used by cyber criminals to buy and sell stolen information and tools for performing a variety of cyber crimes, Webroot’s Dancho Danchev came across a C&C PHP script capable of integrating multiple compromised servers for the purpose of launching DDoS attacks.
“Currently, the PHP script supports four types of DDoS attack tactics, namely DNS amplification, spoofed SYN, spoofed UDP, and HTTP+proxy support. The script also acts as a centralized command and control management interface for all the servers where it has been (secretly) installed on,” Danchev said.
Its current price is $800 but it’s likely to go for more in the future as it is still in the early stages of development.
Danchev is not aware of the script seeing use, but said it should soon hit the street.