Defend DNS from DDoS


Internet domain name services are old as 30 long years . There are as many as hosted services . It relies on a naming system, it becomes clear that effective DNS services defense is not only important — it’s imperative.

Companies must be particularly conscious of defending their DNS services from distributed denial of service (DDoS) attacks. This has been proven by a wake of devastating DNS-based DDoS attacks, including:

  • How DNS works, and why DNS DDoS resilience is critical.
  • How DNS DDoS attacks are delivered.
  • How companies can defend against DDoS attacks.
  • How companies can defend against DNS attacks.

How DNS Works, and Why DNS DDoS Resilience is Critical

DNS can be described as the phone book of the internet: it’s a tree-structure database that maintains a list of domain names and transfers them to Internet Protocol (IP) addresses.

It’s essential that companies defend themselves against DNS-based attacks for three main reasons:

  • Every application uses DNS, which means that every application is vulnerable.
  • Thanks to the openness of DNS, DNS is easy to exploit.
  • DNS-based attacks have a wide blast radius and can cause a great deal of collateral damage.

How DNS DDoS Attacks are Delivered

One of the most popular weapons amongst cyber criminals around the world, DDoS attacks utilize multiple compromised systems to bring down a single target. That use of multiple sources is what makes DDoS attacks distributed.

Because of their distributed nature, DDoS attacks are less about individual attackers than they are about an entire ecosystem of attackers and weapons.

These types of attacks are so devastating because they threaten the first priority in running a modern business: service availability.

Table showing how DDoS attacks travel from the attacker to the victim
  • Water torture: Also known as pseudo-random subdomain attacks, water torture attacks bombard DNS resolvers with legitimate domains followed by random labels, forcing the DNS to work harder.
  • NXDomain: By repeatedly requesting non-existent domains (NXDomains), attackers can cause DNS resolvers and servers to become overwhelmed.
  • Query flood: A multitude of queries flood either the DNS resolvers or the authentication servers.
  • Malformed DNS query: These types of queries force the DNS to complete additional processes and use additional resources.
  • DNS reflected amplification: DNS is always looking and listening for queries, which makes it an ideal target for reflected attacks.
Diagram showing how DNS attacks are delivered via volumetric floods or amplified responses

General attacks can also use strategies like:

  • Transmission Control Protocol synchronize (TCP SYN) flood.
  • Internet Control Message Protocol/User Datagram Protocol (ICMP/UDP) flood.
  • Non-DNS reflected amplification (e.g. NTP, SSDP, etc).
  • Packet anomalies.

How Companies Can Defend Against DDoS Attacks

Let’s consider the main objectives of DDoS defense systems:

  1. Ensure availability of services for legitimate users.
  2. Ensure services and infrastructure stay up and running.

Remember, if No. 2 isn’t accomplished, neither is No. 1: both objectives are equally important.

Good DDoS defense systems will also reduce both false positives and false negatives. False positives result in legitimate users being blocked, and false negatives can cause a real attack to be missed.

In many DDoS defenses, traffic shaping is implemented. This involves clamping traffic loads in order to protect the service from falling over.

Diagram showing how traffic shaping drops both valid and invalid traffic

This strategy is fraught with collateral damage because, as shown in the image above, the traffic filters indiscriminately dispose of traffic. This means that legitimate users are thrown out alongside malicious traffic.

To avoid this, a DDoS defense system must be able to distinguish between legitimate and illegitimate users. That can be accomplished with multi-modal detection and mitigation strategies, including mitigation escalation, zero-day attack pattern recognition (ZAPR) and DDoS threat intelligence:

Here, you can see how various mitigation strategies affect valid users:

Graph showing how various mitigation strategies can impact valid users

The strategies you should be focused on, which fall under Source Policy Violation, are highlighted in blue. These strategies also happen to be some of the most technically complex. Note that both Destination Protection and RFC Check lack technical complexity, and Destination Protection has a significant impact on valid users.

Because attackers are constantly becoming more sophisticated and automated in their tactics, defenders must become increasingly sophisticated and automated as well.

For example, determining which mitigations to apply and when to apply them requires changes to the defense platform. If you can set only one policy level, it will simply be either weak or strong, and will require manual intervention to adjust for the attackers’ behavior.

However, if an adaptive, multi-level policy can be defined and executed, then the defense will automatically apply the appropriate mitigation policies. This will both minimize damage against real users and protect service availability.

Another automation strategy would utilize machine learning to identify the pattern of the attacking agent’s traffic, create a filter on the fly and block DDoS traffic with no advance configuration or manual intervention. This approach is known as Zero-Day Attack Pattern Recognition (ZAPR), and can:

  1. Analyze incoming traffic.
  2. Identify common methods, or attack vectors, of malicious traffic.
  3. Automatically generate a custom filter to quickly block attacks with surgical precision.

Finally, defense systems can utilize IP reputation intelligence about DDoS weapons to block repeatedly used DDoS agents, known as DDoS weapons.

How Companies Can Defend Against DNS Attacks

There are a number of viable defense strategies that can be used to protect against every type of DNS attack, including these categories:

  • Drop malformed DNS queries
  • Drop non-DNS request to UDP port 53
  • Drop DNS ANY requests
  • Identify reflected amplification attacks
  • Limit excessive queries per request
  • Drop abusive FQDN structures or record types
  • Authentic requesters to prevent spoofing
  • Track NXDomain responses from requesters
  • Learn FQDNs being requested to prevent fake pseudo-random subdomains
  • Initiate zone transfer to allow only real domains while under attack
  • Limit total queries to the protected DNS server

These defensive measures can then be applied to the vast variety of DNS DDoS attacker strategies.

Diagram showing how defense systems use ZAPR to protect from various types of DDoS attacks

With many of those attack types, a pattern can also be extracted and applied to more effectively prevent against similar attacks in the future.

To protect against UDP floods, the DNS-UDP port type will drop all UDP floods that are not valid DNS requests.

To protect against spoofed DNS floods, the defense system will require authentication. This means that it will drop the first DNS request, and if the same request should arrive within a certain amount of time, it will be marketed as “authenticated.” Or, the system can force the session to switch to TCP.

To protect against water torture attacks, like those exhibited by the Mirai IoT malware, the defense system will only allow valid FQDNs. It will do this by configuring a domain list of those that are known and valid and reject any fake domains during the attack period. This can be done either manually with a predefined list or dynamically with a DNS zone transfer to the mitigation appliance.

To protect against overwhelming amounts of legitimate-looking queries, the defense system will establish a query rate limit allowed by a single requester. This will include an overall DNS query rate limit or a per-FQDN query rate limit.

Five ways companies can achieve DNS resilience:

  1. Over-provisioned DNS: Expensive, complex and difficult to scale
  2. Commercial resilient DNS server: Lacks protection from volumetric attacks
  3. Cloud DNS: A pay-per-query system can result in companies being charged for DDoS attacks
  4. DDoS protection: This option is scaled for query performance
  5. Resilient DNS system: DDoS and DNS defense solutions work together to provide robust protection that’s scaled to the size of the DNS database.
Diagram showing the five ways companies can achieve DNS resilience

While all five choices are feasible, a resilient DNS system is by far the most far-reaching and comprehensive.

Although DNS services are certainly vulnerable, it is possible to protect them against all types of DDoS attacks, no matter how aggressive.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s