SBN

How to Defend Against any Type of DNS Attack

Don’t Let a DNS DDoS Attack Leave Your Business Invisible Due to DNS Failure

The Domain Name System (DNS) is a foundational element of internet infrastructure, making it possible for users to find and connect with specific websites among the hundreds of millions of domains scattered around the world. A distributed denial of service (DDoS) attack is one of the most commonly used and potentially disruptive tactics in today’s threat environment. Combine the two, and you have a critical cybersecurity issue calling for an active defense.

In this article, we’ll talk about the mechanics of a DNS DDoS attack, variations such as a DNS amplification attack or DNS flood attack, and how to incorporate DNS DDoS protection into your DDoS protection strategy.

How DNS Works

Invented in 1983, the DNS can be compared to a resource of similar age: a traditional telephone book. As with the white pages of yesteryear, the DNS lists the name of each connected domain along with its corresponding number—in this case, its Internet Protocol (IP) address.

That the DNS has remained viable for so long is a credit to the simple elegance of it dynamic and distributed system and tree-structure database. Unfortunately, having been conceived years before the first cyberattack was launched, the DNS system was not designed with security in mind. As a result, the DNS system has faced endless attacks throughout its history.

To understand the nature of a DNS attack, we first need to consider the way the system itself functions. Computers use IP addresses to identify and route traffic among the billions of systems connected to the internet. When people browse the web, though, they typically use domain names to specify the sites they want to visit, not IP addresses.

After all, it’s a lot easier to remember www.a10networks.com than a string of a dozen or so numbers. The DNS system is the mechanism that translates each fully qualified domain name (FQDN) into its corresponding IP address in real time. Here’s a closer look at how it works:

Diagram showing how queries are processed by DNS

The Impact of a DNS DDoS Attack

As you can imagine, a disruption of this system can make it virtually impossible for users to find a given company online. And unfortunately, the open, connectionless, and stateless nature of DNS makes it especially vulnerable to attack and exploitation. Given that every application uses DNS, a DNS attack can have an especially broad impact and cause a great deal of collateral damage.

For users, the most immediate result is a dreaded “DNS failure” alert: “DNS server not available” or “server DNS address could not be found.” For a business, these failed connections mean becoming effectively invisible and unreachable online by customers, prospects, or anyone else.

While many DNS attacks go unreported in the media, those that do, underscore the scale of the threat. In fact, one of the largest DDoS attacks in history was a DNS DDoS attack: the 2016 Dyn DNS attack. Featuring the debut of the Mirai botnet, and targeting a company controlling a large share of global DNS infrastructure, the attack took down numerous sites including Twitter, the Guardian, Netflix, Reddit, and CNN across both the U.S. and Europe. With an estimated attack strength of 1.2Tbps, the attack was twice as large as any previously reported denial of service attack.

Dyn was far from alone in being victimized by a DNS attack. A 2021 study by the Neustar International Security Council (NISC) found that nearly three-quarters of organizations had been hit with a DNS attack that year.

How a Denial of Service Attack is Delivered

While not every DNS attack is a denial of service attack, many are. In its most basic form, a denial of service attack floods a target system with traffic in order to overwhelm it and shut it down. This results in—you guessed it—DNS failure and a denial of service to legitimate visitors.

When the attack is launched from multiple computers at once, such as via a botnet, this distributed approach earns it the name distributed denial of service, or DDoS. This is far more effective, difficult to trace, and difficult to defend than a single-source denial of service attack, making it the method of choice for most hackers.

As DDoS attack tactics continue to evolve, hackers now often use reflection, amplification, or both to increase the impact of an attack. In a reflection attack, the target’s IP address is spoofed and used to send a request for information via publicly accessible UDP or TCP services, bringing responses from unwitting servers to the victim’s system that can crowd out legitimate traffic.

In an amplification attack, cybercriminals use readily available hacking tools to send thousands of requests to vulnerable services, each of which is designed to bring a response larger than the original “trigger” request. Used individually or in tandem, reflection and amplification can greatly accelerate the depletion of the targeted server’s resources.

Table showing how DDoS attacks travel from the attacker to the victim

 

How a DNS DDoS Attack Is Delivered

A DNS DDoS attack often uses similar techniques to other types of DDoS attacks. In a direct attack such as a DNS flood attack, hackers seek to overwhelm the targeted domain’s servers with queries or packers in order to disrupt DNS resolution or trigger DNS failure, leaving it unable to respond to legitimate traffic.

A DNS reflection attack occurs when an attacker spoofs the victim’s IP address—typically a botnet—and sprays it across millions of application servers exposed on the internet. Those servers, including DNS resolvers, then answer those unauthenticated requests with large responses. Each individual small request is then amplified by the DNS resolvers by up to 54 times its size. DNS is always looking and listening for queries, which makes it an ideal target for reflected attacks. A DNS amplification attack is a type of DNS reflection attack in which traffic is amplified using unsecured DNS servers to make small requests for very large DNS records. The request is sent using a spoofed return address, bringing a surge of bogus traffic back to the target server. In fact, the 2016 attack on Dyn was likely a DNS amplification attack.

Diagram showing how DNS attacks are delivered via volumetric floods or amplified responses

Whether launched directly or as a DNS reflection or DNS amplification attack, a DNS DDoS attack can use many different strategies to trigger DNS failure, including:

  • Water torture: Also known as pseudo-random subdomain attacks, water torture attacks bombard DNS resolvers with legitimate domains followed by random labels, forcing the DNS to work harder.
  • NXDomain: By repeatedly requesting non-existent domains (NXDomains), attackers can cause DNS resolvers and servers to become overwhelmed.
  • Query flood: A multitude of queries flood either the DNS resolvers or the authentication servers.
  • Malformed DNS query: These types of queries force the DNS to complete additional processes and use additional resources.

Unfortunately, DNS servers answer to everything they receive, including pings, UDP packets, and TCP requests. This makes them exceptionally vulnerable to just about every type of attack, including TCP SYN flood and ICMP/UDP flood, even if they’re not explicitly DNS-based.

How Companies Can Defend Against a DDoS Attack

DNS DDoS protection is a subset of DDoS prevention. DDoS prevention has to achieve two equally essential objectives: ensuring that services and infrastructure stay up and running and ensuring their availability for legitimate users. Meeting both goals can be trickier than it seems. An overly aggressive DDoS defense can trigger false positives that result in legitimate users being blocked, while a looser system can allow real attacks to be missed through false negatives.

Some DDoS defenses incorporate traffic shaping, an approach which clamps traffic loads to protect the service from falling over.

Diagram showing how traffic shaping drops both valid and invalid traffic

This strategy is fraught with collateral damage because, as shown in the image above, the traffic filters indiscriminately dispose of traffic. This means that legitimate users are thrown out alongside malicious traffic.

To avoid this, a DDoS defense system must be able to distinguish between legitimate and illegitimate users. This can be accomplished with multi-modal detection and mitigation strategies, including mitigation escalation, zero-day attack pattern recognition (ZAPR) and DDoS threat intelligence:

Table of three DDoS defense strategies

Here, you can see how various mitigation strategies affect valid users:

Graph showing how various mitigation strategies can impact valid users

The strategies you should be focused on, which fall under source policy violation, are highlighted in blue. These strategies also happen to be some of the most technically complex. Note that both destination protection and RFC check lack technical complexity, and destination protection has a significant impact on valid users.

Because attackers are constantly becoming more sophisticated and automated in their tactics, defenders must become increasingly sophisticated and automated as well. For example, determining which mitigations to apply and when to apply them requires changes to the defense platform. If you can set only one policy level, it will simply be either weak or strong, and will require manual intervention to adjust for the attackers’ behavior.

However, if an adaptive, multi-level policy can be defined and executed, then the defense will automatically apply the appropriate mitigation policies. This will both minimize damage against real users and protect service availability. The multi-level policy shown below features five levels of mitigations:

Flowchart showing how an automated defense reacts in both peacetime and wartime.

Another automation strategy would utilize machine learning to identify the pattern of the attacking agent’s traffic, create a filter on the fly and block DDoS traffic with no advance configuration or manual intervention. This approach is known as Zero-Day Attack Pattern Recognition (ZAPR), and can:

  1. Analyze incoming traffic
  2. Identify common methods, or attack vectors, of malicious traffic
  3. Automatically generate a custom filter to quickly block attacks with surgical precision

Diagram showing how Dynamic Attack Pattern Recognition works

Finally, defense systems can use IP reputation intelligence about DDoS weapons to block repeatedly used DDoS agents, known as DDoS weapons. Together, those detection and mitigation strategies create an in-depth defense that’s capable of protecting both users and services.

How Companies Can Defend Against a DNS DDoS Attack

So far, we’ve covered the main goals of DDoS defense, as well as the multi-modal strategies that can be used to achieve them. But what can companies do to protect themselves against DNS attacks in particular? The following DNS DDoS prevention and DNS DDoS mitigation measures can be applied to the vast variety of attacker strategies, from a direct DNS attack to a DNS amplification attack.

  • Drop malformed DNS queries
  • Drop non-DNS request to UDP port 53
  • Drop DNS ANY requests
  • Identify reflected amplification attacks
  • Limit excessive queries per request
  • Drop abusive FQDN structures or record types
  • Authentic requesters to prevent spoofing
  • Track NXDomain responses from requesters
  • Learn FQDNs being requested to prevent fake pseudo-random subdomains
  • Initiate zone transfer to allow only real domains while under attack
  • Limit total queries to the protected DNS server

Diagram showing how defense systems use ZAPR to protect from various types of DDoS attacks

With many of those attack types, a pattern can also be extracted and applied to more effectively prevent against similar attacks in the future.

Let’s look at how a finished DNS DDoS defense system will process incoming traffic.

Diagram showing how a DNS mitigator processes incoming traffic

 

To protect against UDP floods, the DNS-UDP port type will drop all UDP floods that are not valid DNS requests.

To protect against spoofed DNS floods, the defense system will require authentication. This means that it will drop the first DNS request, and if the same request should arrive within a certain amount of time, it will be marketed as “authenticated.” Otherwise, the system can force the session to switch to TCP.

To protect against water torture attacks, like those exhibited by the Mirai IoT malware, the defense system will only allow valid FQDNs. It will do this by configuring a domain list of those that are known and valid and reject any fake domains during the attack period. This can be done either manually with a predefined list or dynamically with a DNS zone transfer to the mitigation appliance.

To protect against overwhelming amounts of legitimate-looking queries, the defense system will establish a query rate limit allowed by a single requester. This will include an overall DNS query rate limit or a per-FQDN query rate limit.

DNS resilience can also be enhanced by DDoS protected DNS, an approach in which DNS servers are strategically placed around the world and load balanced to enable failover in the event that one goes down. For best results, DDoS and DNS defense solutions should work together to provide robust protection scaled to the size of the DNS database.

As DDoS attacks of all kinds continue to increase, every company is at risk of a DNS DDoS attack—and the prospect of being rendered invisible online to customers. By taking an active, multi-modal approach to DNS DDoS prevention and DNS DDoS mitigation, you can protect your DNS servers from attack and keep your company open for digital business.

 

*** This is a Security Bloggers Network syndicated blog from A10 Networks Blog: Cyber Security authored by A10 Networks. Read the original post at: https://www.a10networks.com/blog/how-to-defend-against-any-type-of-dns-attack/