DNS and DDoS: A Match Made in Hell

The Domain Name System, or DNS, which serves as the internet’s address book, maps human-friendly names into IP addresses so that devices, applications, and services know how to find one another. It is one of the core internet services enabling the communications we take for granted countless times each day.

Since 1997, attackers have been launching attacks against DNS servers to disrupt applications and devices. After all, if the name of a website, online game service, or streaming video provider can’t be resolved, the effect is the same as if the actual service itself has been successfully attacked. If an enterprise’s authoritative DNS servers are successfully disrupted, the entire organization is, for all practical purposes, unreachable. Any services depending on this DNS server become impacted.

Starting in 2009, a new type of attack against DNS servers began. Now referred to as “DNS water torture” or “NXDOMAIN flood,” it is the most common attack against DNS servers.  Attacking botnets rapidly generates queries for randomized fake hostnames such as “23Yxj2gKsd9JU.netscout.com.” 

During a DNS water torture attack, this massive load of invalid requests coupled with their replies can quickly overwhelm any DNS server.

Instead of being the victim, sometimes DNS servers are leveraged as part of a distributed denial-of-service (DDoS) attack. The earliest and still extremely common and effective attack utilizing DNS servers is called reflection/amplification (RA). RA attacks happen when large collections of infected systems (botnets) send queries to a DNS server, faking their address for the address of the victim. The DNS servers receive the query and send (reflect) a response to the victim. Amplification is the measure of the size of the query versus the size of the response. The larger the response, the more effective the attack becomes. DNS RA is the most-used vector for DDoS carpet-bombing attacks.

To truly protect DNS from either being attacked or being part of an attack requires a deeper intelligence of the attack and what attacks are occurring at that moment, as well as combining that intelligence with mitigation techniques.

This deeper intelligence begins with NETSCOUT Adaptive DDoS Protection (ADP). ADP is continuously updated by our ASERT team based on what attacks are actively occurring across the planet. ADP is built using machine learning combined with known DDoS attack participants and preconfigured objects and mitigation templates to enable precise, effective isolation and mitigation of attacks. While ADP is part of NETSCOUT’s ATLAS Intelligence Feed (AIF), it is also a component of the mitigation. As an attack dynamically changes, ADP can track these changes and adjust its mitigation as it goes. This allows for the detection and mitigation of attacks that are below most alarm thresholds.

Beyond the intelligence ADP provides are the following DNS-specific DDoS countermeasures:

• DNS zone validation allows requests for valid DNS records to pass while still mitigating DNS attacks.
• DNS authentication attempts to upgrade DNS to use Transmission Control Protocol (TCP) connections. Valid requesting clients will respond, while spoofed attackers and reflectors will not.
• DNS malformed traffic detection will block any DNS traffic that does not conform to Request for Comments (RFCs).
• DNS regex matching allows the identification of common patterns in DNS payloads to block or pass requests.
• DNS and NXDOMAIN rate limiting limits individual clients to a fixed number of requests per second.

When defending against DDoS attacks involving DNS, rapid detection is key to stopping an attack before it can impact services. NETSCOUT’s Adaptive DDoS Protection combined with DNS countermeasures provides the most rapid and effective mitigation available, blocking more attack traffic while also dramatically minimizing over-mitigation common to less sophisticated tools.

Learn more about the criticality of DNS services from our ASERT team.

Learn more about defending your DNS infrastructure with NETSCOUT.