Rate limiting on DNS servers protected a state-level voter registration and information website from a monthlong DDoS attack that prompted the FBI to issue a Private Industry Notification (PIN).
“The FBI received reporting indicating a state-level voter registration and voter information website received anomalous Domain Name System (DNS) server requests consistent with a Pseudo Random Subdomain (PRSD) attack,” a BleepingComputer report cited the notice as saying.
The agency said that DNS requests occurred every two hours or so over at least a month “with request frequency- peaking around 200,000 DNS requests during a period of time when less than 15,000 requests were typical for the targeted website.”
The DNS requests came from source IP addresses that belonged to recursive DNS servers, which obfuscated “the originating host(s) or attacker, and were largely for non-existent subdomains of the targeted website,” the warning said, noting that in a three-minute window in one sample “24 IP addresses used by recursive DNS servers made 2,121 DNS requests.”
One small sample showed “roughly 1,020 requests for unique subdomains, of which 956 were single requests for non-existent subdomains which appeared to be randomly generated,” the agency explained.
DDoS “attacks still remain a popular attack vector for criminals against organizations to remove the availability of their internet access and thus preventing people the ability to access their website. Since UDP is a connectionless protocol, it can easily be spoofed, which makes it an easy attack vector against the websites,” James McQuiggan, security awareness advocate at KnowBe4, said, explaining that the FBI recommendations in the PIN, which include implementing an incident response plan and enabling automated patches where possible, “ are a good start for every organization to implement to protect against” DDoS attacks.
“I would expect that this type of attack is going to increase over time as the political scene ramps up over this coming year,” said Jason Kent, hacker in residence at Cequence Security. “I think the most important thing to understand is why the attack is happening. Political motivation is a generalization, is someone trying to destabilize or prevent our political system from working? Who benefits from this? I would really like to follow the money and see what the actual motivation is.”