FortiDDoS Launches Support for FortiGuard Domain Reputation Service for IoT and Botnet Based DDoS Attack Mitigation

CSPs and Proliferation of DNS Based DDoS Attacks

DNS is used in over 91% of malware communication today (vs. direct IP) in order to contact Command & Control (C&C) servers. Phishing attacks that distribute malware also depend heavily on DNS. And recent cases of ransomware attacks, such as last year’s massive Mirai attack that caught the world by surprise, are perfect examples of where DNS is used for this communication.

Mirai means “The Future” in Japanese and started as a technology research source code that was made available to the public. Nothing malicious. However, in the hands of a crafty coder, it was weaponized. What made Mirai so lethal is the combination of the three factors shown below.

As a result, the speed and proliferation of Mirai was unprecedented. It used DNS to connect with its Command and Control (C&C) servers and launch its large-scale DDoS attacks. If such large-scale DDoS attacks have to be thwarted, one approach is to disrupt the communication between the botnet and the C&C servers. If the IoT-based botnet cannot communicate with its C&C servers, a critical avenue of its DDoS attacks can be blocked.Because so many IoT devices are headless or void of self-contained intelligence, they make easy take-over targets. And the scale of IoT networks makes them perfect for a botnet.

The map below shows the geo-locations of the CSPs (communication service providers) affected by Mirai. It is safe to say that its impact was global, affecting anywhere there were communication infrastructures. As the owners of communication infrastructures, CSPs need to protect their networks, as well as those of business and consumer subscribers from emerging threats such as IoT-based DDoS attacks.

A case in point is Dyn; a company that provides managed Domain Name Services (DNS). (DNS is essentially the phone book that maps organization internet domain names to the corresponding cryptic Internet Protocol (IP) address. Dyn is famous because it is one of the largest, fastest, and most resilient DNS networks in the world. And yet Mirai brought down Dyn’s Managed Domain Name Services (DNS) resulting in Internet users being unable to reach many of its DNS customers, including such Internet stalwarts as PayPal, Twitter, Reddit, Amazon, Netflix, and Spotify. The message is clear – IoT DDoS attacks carry a massive and real cost.

The Mirai DDoS Botnets targeted DNS in order to connect to its Command and Control (C&C) servers and launch its large-scale DDoS attacks. One approach to thwarting such large-scale DDoS attacks is to disrupt the communication between the botnet and the C&C servers. If the IoT-based botnet cannot communicate with its C&C servers, a critical avenue of its DDoS attacks can be blocked.

Communication Service Providers (CSPs) need to protect their networks, as well as those of business and consumer subscribers, from threats such as IoT-based DDoS attacks. Which is why a DNS-based security layer is an important additional security layer to defend against these emerging attacks,

Details of C&C Structure and DNS Resolution

As shown in the diagram above, during the Dyn attack the C&C domain would change its address in order to segment the botnet. To do this, the botmaster simply changed the return address. They could then use the same domain to create and operate multiple separate botnets simultaneously. New bots would connect to the new address, while older bots continued to communicate with the previously labeled server.

FortiGuard Domain Reputation Service

The FortiDDoS appliance has patented firmware designed to repel large scale DDoS attacks on DNS servers.

In addition to its existing features for DNS based DDoS attack mitigation, the DDoS appliances now also support the newly launched FortiGuard Domain Reputation Service.

With over one million domains identified and updated daily, the FortiGuard Domain Reputation Service maintains a database of suspect domains. Licensed FortiDDoS appliances query this service and download this list daily.

When a DNS resolver is protected via FortiDDoS, the FortiDDoS appliance transparently observes each and every DNS query and related response packets crossing over it. If a query is made to any of the suspect domains in the list, the query is simply not forwarded to the resolver and is not responded to. The client eventually times out.

Additionally, the administrator of the FortiDDoS appliances can manually upload a list of domains that must be blocked. This list can also be of the order of a million domains, and is expected to be sufficient for current generation of requirements.

As a result, any client making queries to these domains cannot reach the C&C servers and participate in their DDoS attacks.

Deployment Examples for CSPs

As shown in the figure above, the FortiDDoS appliance is deployed in front of a CSP’s open DNS resolver. FortiDDoS’s ability to restrict DNS queries to only the CSP’s own subscribers’ subnets can be used to filter and drop queries that are not from its own subscriber base. Additionally, if a client within the subscriber base makes a DNS query for a suspect domain due to a botnet infection, such as to reach a C&C server, the FortiDDoS appliance will simply drop the query due to that IP being in the Domain Reputation Service’s suspect list. The rest of the DNS communication with DNS authoritative and recursive servers on the Internet and its own subscribers will continue to work as desired.

Conclusion

The FortiGuard Domain Reputation Service License for FortiDDoS is yet further ammunition to use against the growing threat of the IoT and botnet attacks, which are easier than ever to launch due to proliferation of open source code for such attacks, and growing availability of vulnerable devices.