The fixed Internet access service provided by SFR and Bouygues Telecom was unavailable for several hours last week. Indeed, the DNS (Domain Name System) servers of several operators were affected. "The DNS servers are used by all companies. It's a bit like a telephone directory. They translate the domain name of a website into an IP address to talk to it. So they have a key role as gatekeepers. They are often among the Top 3 critical applications for ISPs," explains Ronan David, head of strategy at Efficient IP.
The inability to connect, for most SFR and Bouygues Telecom customers last Tuesday, results from the fact that you use an operator's DNS servers by default when you subscribe to its fixed Internet access service. However, they could have connected to other DNS servers by configuring the network connection of their box because the DNS servers are always ready to communicate with everyone. And this is their weakness. "Since they are by definition very open, they are also very vulnerable. They are therefore prime targets for hackers," says Ronan David.
This type of aggression is common among ISPs, but SFR and Bouygues Telecom consider it particularly virulent. According to the Dutch DDoS protection organization NBIP, the DDoS (or denial of service) attack has also affected other ISPs in Belgium and the Netherlands. It recorded volumetric peaks of nearly 300 Gbit/s in volume. A level well above the average. Ronan David confirms, "The volume of 89% of DDos DNS attacks is below 50 Gbit/s. Here, it was up to 300 Gbit/s, six times more than usual. This is completely atypical."
This was a reflection attack, for example. "In the case of a DDos type DNS attack by amplification, there is one target, the DNS server, and then there is reflection, which means that other DNS servers are used to amplify the attacks and overwhelm the target server with requests so that it is no longer available," explains Ronan David.
Were other ISPs' DNS servers used to amplify the attack? Were SFR and Bouygues Telecom specifically targeted, or was their failure a collateral damage of a larger operation? Mystery, but this prospect would be daunting for all operators.
Another enigma remains to be solved: who are the attackers? Several hypotheses can be put forward. It could be a rogue gang... Unless the objective was political: to test communications and bring down an Internet gateway. In this case, it could be hostile foreign powers.
Source : 01net