DDoS Protection , Security Operations

FBI Reportedly Says DDoS Attack Targeted Voter Registration

State Voter Registration Website Repeatedly Targeted

(Source: Luke Peters via Flickr/CC)

The FBI reportedly warned this week that attackers repeatedly attempted to disrupt a state's voter registration and information website with a distributed denial-of-service attack.

See Also: Move Beyond Passwords

On Tuesday, the FBI issued a Private Industry Notification that described the attempted DDoS attack, according to Bleeping Computer, which says it obtained a copy of the alert.

The hackers used a pseudo random subdomain attack, which attempts to flood the DNS server with large amounts of queries against a list of non-existing subdomains, which can then shut the site down, the FBI alert states, according to the news report.

The unsuccessful attacks happened over the course of a month, bombarded the site with malicious traffic in intervals in an attempt to overwhelm the DNS server and shut down the website, according to the FBI alert.

The FBI says that the state voter registration website was not affected by the DDoS siege due to properly set up rate-limiting on the target's DNS servers, Bleeping Computer reports. The affected state was not named by FBI.

Agency Warnings

Federal agencies, including the U.S. Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency have warned that attackers are more frequently targeting and hijacking DNS servers to cause disruptions (see: DHS Issues More Urgent Warning on DNS Hijacking).

In June, for example, DHS warned that attackers associated with Iran may attempt to modifying DNS records, which would then allow for a range of attacks, including collecting account credentials and redirecting email traffic.

On Wednesday, an FBI spokesperson declined to comment on specifics but told ISMG: "In furtherance of public-private partnerships, the FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals."

Heavy Traffic

In the case the FBI describes, the DDoS attack attempted to overwhelm the unnamed targeted website with much more traffic than the DNS server is used to handling in a given time period, according to the report.

"The requests occurred over the course of at least one month in intervals of approximately two hours, with request frequency peaking around 200,000 DNS requests during a period of time when less than 15,000 requests were typical for the targeted website," the FBI warning states, according by Bleeping Computer.

These pseudo random subdomain attacks seen in recent years can cause sudden bursts of traffic - sometimes as much as 15 percent of all DNS query traffic in a given time - in order to overwhelm the server and shut down a site, according to security firm Akamai.

"Pseudo random subdomain attacks are particularly nasty in the sense that they're designed to starve the recursive DNS servers in recursive contexts, rendering them unusable to legitimate users," according to the Akamai report.

Jason Kent, a hacker-in-residence at security firm Cequence Security, says that this type of DDoS attack uses the traffic queries sent to fictitious subdomains to overwhelm the website or service that is targeted.

"In this attack, many such requests are generated, but instead they ask for a random subdomain - 123456789ASDFJKL.example.com - for instance," Kent tells Information Security Media Group. "The servers then are tied up trying to ask upstream if anyone knows where this site is. Do it enough times - think 1,000 times per second - for a long time and eventually the server is starved of memory and stops processing."

On its website, the U.S. Cybersecurity and Infrastructure Security Agency offers some advice on how to mitigate the risks posed by types of attack, including:

Installing and maintaining anti-virus software;

Installing a firewall and configuring it to restrict traffic coming into and leaving the network;

Ensuring that access to certain data or parts of the network are limited to trusted employees and developing ways to limit unwanted traffic for outside the network.

Sending a Message

Tom Kellermann, the head of cybersecurity strategy at VMware who formerly served on the Commission on Cyber Security for the 44th President, tells ISMG that the timing of the FBI warning is meant to send a message to state officials and voters about cybersecurity.

"Americans are focused on the primaries, and thus the FBI is trying to build awareness as to the threat posed to electoral systems," Kellermann says.

Monday's Iowa Democratic presidential caucuses were marred when an app used by the state Democratic party malfunctioned due to coding issues, which increased concerns over the role technology will play during the election cycle (see: The Iowa Caucus: No Hacking, But a Bungled Risk Matrix).