Topics
More on Operations

Healthcare websites are being attacked with fake requests

These attacks are flooding targeted networks and servers and threatening to shut sites down, rendering them inaccessible to clients.

Jeff Lagasse, Editor

Photo: Joos Mind/Getty Images

The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to healthcare organizations, saying a flood of distributed denial-of-service (DDoS) attacks could shut down their websites.

A "trusted third party" shared information with HC3 regarding the DDoS attacks, which have been tracked since November. These attacks are flooding targeted networks and servers with a fake Domain Name Server (DNS) request for non-existent domains (NXDOMAINs), according to the alert.

WHAT'S THE IMPACT

A DNS NXDOMAIN flood DDoS attack is one of the various denial-of-service attacks that will target the DNS, said HC3. What the threat actor wants to do is overload the DNS server with a large volume of requests, which can be either non-existent or invalid. 

In this type of DDoS, the DNS server will spend time trying to locate something that does not exist instead of processing legitimate user requests. As the volume of invalid requests increases, the server will begin to slow down, preventing legitimate requests from getting a response. Legitimate clients trying to access the website will only increase the load even further.

In most cases, the DNS proxy server and the DNS authoritative server will use all their time handling those bad requests, according to HC3. When successful, the outcome of these attacks can result in higher utilization of resources on the server, and the cache will be filled up with NXDOMAIN replies. This can ultimately slow or completely prevent an authorized user from gaining access to a website or services.

Like other DDoS attacks, these are also carried out by large botnets, which can consist of thousands of compromised devices located worldwide, making detecting and blocking this type of DNS attack difficult. As a result, NXDOMAIN DDoS attacks could negatively impact network providers, website owners, and end-users or customers, HC3 said.

If network providers can't control or mitigate the attack, it may lead to their customers being unable to access their websites and services, the report found. 

THE LARGER TREND

HC3 encourages organizations to remain cautious when blocking IPs, because this could result in legitimate users being prevented from accessing public services. According to HC3, there are several mitigations and recommended actions available for DNS NXDOMAIN Flood DDoS attacks.

They include blackhole routing/filtering suspected domains and servers; implementing DNS Response Rate Limiting; blocking requests from the client's IP address for a configurable period of time; ensuring that cache refresh takes place, facilitating continuous service; lowering the timeout for recursive name lookup to free up resources in the DNS resolver; increasing the time-to-live on existing records; and applying rate limiting on traffic to overwhelmed servers.
 

Twitter: @JELagasse
Email the writer: Jeff.Lagasse@himssmedia.com