The new DOS attacks first emerged in late December and kicked into high gear in January, before dying down four weeks ago, said Ken Silva, VeriSign's chief security officer. In less than two months, 1,500 separate Internet Protocol addresses were attacked using this method, he noted.
"These attacks have been significantly larger than anything we've seen," he said.
Under a more common DOS attack, a network of bots, or compromised PCs commandeered by remote attackers, directly inundates a victim's Web server, name server or mail server with a multitude of queries. The goal of a DOS attack is to crash the victim's system, as it tries to respond to the requests.
But in this latest spate of DOS attacks, bots are sending queries to DNS (domain name system) servers with the return address pointed at the targeted victim. As a result, the DNS server, rather than the bot, makes the direct attack on the victim. The net result is a stronger attack and an increased difficulty in stopping it, Silva said.
While it is possible to stop a bot-delivered DOS attack by blocking the bot's IP address, blocking queries from DNS servers would prove more difficult, Silva said. He noted that companies could reconfigure their DNS servers to prevent the so-called recursive name service feature, as a possible solution. But he added that companies may be loath to prevent potential customers, partners, researchers and others from sending queries to their DNS.
