How to Defend DNS Services from All Types of DDoS Attacks
First invented in 1983, the internet Domain Name System (DNS) is older than the World Wide Web itself.
Only a select few people had access to the internet in the 1980s. Today, however, there are 4.1 billion internet users worldwide, 1.94 billion websites and about 342 million registered domain names, according to Hosting Facts.
When you consider that each of those websites and domain names relies on a naming system that’s more than thirty years old, it becomes clear that effective DNS services defense is not only important — it’s imperative.
Companies must be particularly conscious of defending their DNS services from distributed denial of service (DDoS) attacks. This has been proven by a wake of devastating DNS-based DDoS attacks, including:
- A 2002 attack on the DNS root servers.
- A 2013 attack against Spamhaus, an anti-spam non-profit organization.
- A 2016 attack against Dyn, a company that controls a vast portion of the DNS infrastructure.
How can companies protect themselves against similarly catastrophic attacks? That’s what we’re here to find out. Read on to learn:
- How DNS works, and why DNS DDoS resilience is critical.
- How DNS DDoS attacks are delivered.
- How companies can defend against DDoS attacks.
- How companies can defend against DNS attacks.
Let’s dive in.
How DNS Works, and Why DNS DDoS Resilience is Critical
DNS can be described as the phone book of the internet: it’s a tree-structure database that maintains a list of domain names and transfers them to Internet Protocol (IP) addresses.
This is a closer look at how DNS matches a fully qualified domain name (FQDN) with labels and suffixes:
It’s essential that companies defend themselves against DNS-based attacks for three main reasons:
- Every application uses DNS, which means that every application is vulnerable.
- Thanks to the openness of DNS, DNS is easy to exploit.
- DNS-based attacks have a wide blast radius and can cause a great deal of collateral damage.
How DNS DDoS Attacks are Delivered
First, let’s establish what a DDoS attack is, exactly. One of the most popular weapons amongst cyber criminals around the world, DDoS attacks utilize multiple compromised systems to bring down a single target. That use of multiple sources is what makes DDoS attacks distributed.
Because of their distributed nature, DDoS attacks are less about individual attackers than they are about an entire ecosystem of attackers and weapons.
These types of attacks are so devastating because they threaten the first priority in running a modern business: service availability.
DDoS attacks are delivered via either direct or reflected attacks. Direct attacks use botnets comprised of hijacked IoT devices, computers and/or servers. These botnets then target the DNS infrastructure with a massive amount of queries or packets. This can be done using either real or spoofed IP addresses.
On the other hand, reflected attacks occur when an attacker spoofs the victim’s IP address—typically a botnet—and sprays it across millions of application servers exposed on the internet. Those servers, including DNS resolvers, then answer those unauthenticated requests with large responses. Each individual small request is then amplified by the DNS resolvers by up to 54 times its size.
Whether they’re direct or reflected attacks, the strategies behind them can be varied. For example, DNS app attacks can utilize these strategies:
- Water torture: Also known as pseudo-random subdomain attacks, water torture attacks bombard DNS resolvers with legitimate domains followed by random labels, forcing the DNS to work harder.
- NXDomain: By repeatedly requesting non-existent domains (NXDomains), attackers can cause DNS resolvers and servers to become overwhelmed.
- Query flood: A multitude of queries flood either the DNS resolvers or the authentication servers.
- Malformed DNS query: These types of queries force the DNS to complete additional processes and use additional resources.
- DNS reflected amplification: DNS is always looking and listening for queries, which makes it an ideal target for reflected attacks.
General attacks can also use strategies like:
- Transmission Control Protocol synchronize (TCP SYN) flood.
- Internet Control Message Protocol/User Datagram Protocol (ICMP/UDP) flood.
- Non-DNS reflected amplification (e.g. NTP, SSDP, etc).
- Packet anomalies.
Unfortunately, DNS servers answer to <i>everything</i>, whether that means pings, UDP packets or TCP requests. This makes them exceptionally vulnerable to just about every type of attack, whether they’re explicitly DNS-based or not.
How Companies Can Defend Against DDoS Attacks
Let’s consider the main objectives of DDoS defense systems:
- Ensure availability of services for legitimate users.
- Ensure services and infrastructure stay up and running.
Remember, if No. 2 isn’t accomplished, neither is No. 1: both objectives are equally important.
Good DDoS defense systems will also reduce both false positives and false negatives. False positives result in legitimate users being blocked, and false negatives can cause a real attack to be missed.
In many DDoS defenses, traffic shaping is implemented. This involves clamping traffic loads in order to protect the service from falling over.
This strategy is fraught with collateral damage because, as shown in the image above, the traffic filters indiscriminately dispose of traffic. This means that legitimate users are thrown out alongside malicious traffic.
To avoid this, a DDoS defense system must be able to distinguish between legitimate and illegitimate users. That can be accomplished with multi-modal detection and mitigation strategies, including mitigation escalation, zero-day attack pattern recognition (ZAPR) and DDoS threat intelligence:
Here, you can see how various mitigation strategies affect valid users:
The strategies you should be focused on, which fall under Source Policy Violation, are highlighted in blue. These strategies also happen to be some of the most technically complex. Note that both Destination Protection and RFC Check lack technical complexity, and Destination Protection has a significant impact on valid users.
Because attackers are constantly becoming more sophisticated and automated in their tactics, defenders must become increasingly sophisticated and automated as well.
For example, determining which mitigations to apply and when to apply them requires changes to the defense platform. If you can set only one policy level, it will simply be either weak or strong, and will require manual intervention to adjust for the attackers’ behavior.
However, if an adaptive, multi-level policy can be defined and executed, then the defense will automatically apply the appropriate mitigation policies. This will both minimize damage against real users and protect service availability.
The multi-level policy shown below features five levels of mitigations:
A10’s Five-Level Adaptive Policy
Another automation strategy would utilize machine learning to identify the pattern of the attacking agent’s traffic, create a filter on the fly and block DDoS traffic with no advance configuration or manual intervention. This approach is known as Zero-Day Attack Pattern Recognition (ZAPR), and can:
- Analyze incoming traffic.
- Identify common methods, or attack vectors, of malicious traffic.
- Automatically generate a custom filter to quickly block attacks with surgical precision.
A10 Networks’ Zero-Day Attack Pattern Recognition (ZAPR)
Finally, defense systems can utilize IP reputation intelligence about DDoS weapons to block repeatedly used DDoS agents, known as DDoS weapons.
For example, A10 Networks’ DDoS weapons intelligence map class-list feed has identified more than five million open DNS resolvers with amplification payloads and upwards of 21 million DDoS weapons at the time of writing.
Together, those detection and mitigation strategies create an in-depth defense that’s capable of protecting both users and services.
How Companies Can Defend Against DNS Attacks
So far, we’ve covered the main goals of DDoS defense, as well as the multi-modal strategies that can be used to achieve them. But what can companies do to protect themselves against DNS attacks in particular?
There are a number of viable defense strategies that can be used to protect against every type of DNS attack, including these categories:
- Drop malformed DNS queries
- Drop non-DNS request to UDP port 53
- Drop DNS ANY requests
- Identify reflected amplification attacks
- Limit excessive queries per request
- Drop abusive FQDN structures or record types
- Authentic requesters to prevent spoofing
- Track NXDomain responses from requesters
- Learn FQDNs being requested to prevent fake pseudo-random subdomains
- Initiate zone transfer to allow only real domains while under attack
- Limit total queries to the protected DNS server
These defensive measures can then be applied to the vast variety of DNS DDoS attacker strategies.
With many of those attack types, a pattern can also be extracted and applied to more effectively prevent against similar attacks in the future.
Let’s take a look at how a finished DNS DDoS defense system will process incoming traffic.
To protect against UDP floods, the DNS-UDP port type will drop all UDP floods that are not valid DNS requests.
To protect against spoofed DNS floods, the defense system will require authentication. This means that it will drop the first DNS request, and if the same request should arrive within a certain amount of time, it will be marketed as “authenticated.” Or, the system can force the session to switch to TCP.
To protect against water torture attacks, like those exhibited by the Mirai IoT malware, the defense system will only allow valid FQDNs. It will do this by configuring a domain list of those that are known and valid and reject any fake domains during the attack period. This can be done either manually with a predefined list or dynamically with a DNS zone transfer to the mitigation appliance.
To protect against overwhelming amounts of legitimate-looking queries, the defense system will establish a query rate limit allowed by a single requester. This will include an overall DNS query rate limit or a per-FQDN query rate limit.
To wrap things up, let’s examine five ways companies can achieve DNS resilience:
- Over-provisioned DNS: Expensive, complex and difficult to scale
- Commercial resilient DNS server: Lacks protection from volumetric attacks
- Cloud DNS: A pay-per-query system can result in companies being charged for DDoS attacks
- DDoS protection: This option is scaled for query performance
- Resilient DNS system: DDoS and DNS defense solutions work together to provide robust protection that’s scaled to the size of the DNS database.
While all five choices are feasible, a resilient DNS system is by far the most far-reaching and comprehensive.
Although DNS services are certainly vulnerable, it is possible to protect them against all types of DDoS attacks, no matter how aggressive.
At a recent webinar, Don Shin and Jian Liu of A10 Networks came together to discuss the nuts and bolts of DNS DDoS protection. To learn more, watch the full webinar here.