You may remember Google was in the news not too long ago because its Malaysian site had been hit with a DNS cache-poisoning attack. It came as a big surprise to everyone. One of the threat-research vendors that I was talking to remarked that the Google site hack did come in from one of the his company’s sources, but he and his colleagues expected it to be fixed by Google before it got noticed publicly.
In fact, he went as far as saying there are some short-lived attacks on some major companies that his organization chooses not to report and include in their research deliverables because they get fixed before anyone even notices them.
But not this time.
Pictures of the splash screens that the hackers, calling themselves “Team Madleets,” replaced the Google screens with were all over Twitter and lasted for a significant time.
That is the difference with DNS-based attacks and other types. DNS information, once corrupted, takes hours or even days to repair. It’s surprising to see how this old trick works again and again. The New York Times, Twitter, and Google Malaysia have all fallen prey to it. Some of these attacks are inspired by political agendas and do not discriminate between individual blogger activist websites or more public entities like Twitter.
DDoS attacks make things even more interesting. Access to rented botnets combined with DNS protocol’s ability to amplify the traffic makes it even more lucrative target. Yesterday, Google launched new anti-DDoS service called “ Project Shield.” They said this about it:
“The biggest focus has been on DDoS attacks, a kind of brute-force action that can easily take down a small site without leaving any clues as to the culprits. DDoS has been a persistent problem for small-scale activists on the web, but Google's new Project Shield would aim to fix that, offering free DDoS mitigation services to sites serving ‘media, elections, and human rights related content.’ ”
It reminded me of several incidents where the security researcher's private blog was hacked or hit with a DDoS attack and it took many days or weeks for it to resume. And therein lies the complexity and reliance on the core infrastructure that we choose to trust. The efforts required to address something so pervasive need to be handled at many different levels, where everyone does their bit.
The most interesting part of this Google initiative is the digital map of real-time attack traffic data found here. It’s amazing to see how the global attack traffic is pictorially depicted with these graphs. As I watched the attack play and saw the port 53 attacks identified.
Maybe our bit in this scary battle against the dark side of the force is in securing DNS infrastructure, and offering best practices for configuring.