How to Defend DNS Services from All Types of DDoS Attacks

First invented in 1983, the internet Domain Name System (DNS) is older than the World Wide Web itself.

Only a select few people had access to the internet in the 1980s. Today, however, there are 4.1 billion internet users worldwide, 1.94 billion websites and about 342 million registered domain names, according to Hosting Facts.

When you consider that each of those websites and domain names relies on a naming system that’s more than thirty years old, it becomes clear that effective DNS services defense is not only important — it’s imperative.

Companies must be particularly conscious of defending their DNS services from distributed denial of service (DDoS) attacks. This has been proven by a wake of devastating DNS-based DDoS attacks, including:

How can companies protect themselves against similarly catastrophic attacks? That’s what we’re here to find out. Read on to learn:

Let’s dive in.

How DNS Works, and Why DNS DDoS Resilience is Critical

DNS can be described as the phone book of the internet: it’s a tree-structure database that maintains a list of domain names and transfers them to Internet Protocol (IP) addresses.

Diagram showing how queries are processed by DNS

This is a closer look at how DNS matches a fully qualified domain name (FQDN) with labels and suffixes:

Diagram showing how DNS matches an FQDN with labels and suffixes

It’s essential that companies defend themselves against DNS-based attacks for three main reasons:

How DNS DDoS Attacks are Delivered

First, let’s establish what a DDoS attack is, exactly. One of the most popular weapons amongst cyber criminals around the world, DDoS attacks utilize multiple compromised systems to bring down a single target. That use of multiple sources is what makes DDoS attacks distributed.

Because of their distributed nature, DDoS attacks are less about individual attackers than they are about an entire ecosystem of attackers and weapons.

These types of attacks are so devastating because they threaten the first priority in running a modern business: service availability.

Table showing how DDoS attacks travel from the attacker to the victim

DDoS attacks are delivered via either direct or reflected attacks. Direct attacks use botnets comprised of hijacked IoT devices, computers and/or servers. These botnets then target the DNS infrastructure with a massive amount of queries or packets. This can be done using either real or spoofed IP addresses.

On the other hand, reflected attacks occur when an attacker spoofs the victim’s IP address—typically a botnet—and sprays it across millions of application servers exposed on the internet. Those servers, including DNS resolvers, then answer those unauthenticated requests with large responses. Each individual small request is then amplified by the DNS resolvers by up to 54 times its size.

Diagram showing how DNS attacks are delivered via volumetric floods or amplified responses

Whether they’re direct or reflected attacks, the strategies behind them can be varied. For example, DNS app attacks can utilize these strategies:

General attacks can also use strategies like:

Unfortunately, DNS servers answer to <i>everything</i>, whether that means pings, UDP packets or TCP requests. This makes them exceptionally vulnerable to just about every type of attack, whether they’re explicitly DNS-based or not.

How Companies Can Defend Against DDoS Attacks

Let’s consider the main objectives of DDoS defense systems:

  1. Ensure availability of services for legitimate users.
  2. Ensure services and infrastructure stay up and running.

Remember, if No. 2 isn’t accomplished, neither is No. 1: both objectives are equally important.

Good DDoS defense systems will also reduce both false positives and false negatives. False positives result in legitimate users being blocked, and false negatives can cause a real attack to be missed.

In many DDoS defenses, traffic shaping is implemented. This involves clamping traffic loads in order to protect the service from falling over.

Diagram showing how traffic shaping drops both valid and invalid traffic

This strategy is fraught with collateral damage because, as shown in the image above, the traffic filters indiscriminately dispose of traffic. This means that legitimate users are thrown out alongside malicious traffic.

To avoid this, a DDoS defense system must be able to distinguish between legitimate and illegitimate users. That can be accomplished with multi-modal detection and mitigation strategies, including mitigation escalation, zero-day attack pattern recognition (ZAPR) and DDoS threat intelligence:

Table of three DDoS defense strategies

Here, you can see how various mitigation strategies affect valid users:

Graph showing how various mitigation strategies can impact valid users

The strategies you should be focused on, which fall under Source Policy Violation, are highlighted in blue. These strategies also happen to be some of the most technically complex. Note that both Destination Protection and RFC Check lack technical complexity, and Destination Protection has a significant impact on valid users.

Because attackers are constantly becoming more sophisticated and automated in their tactics, defenders must become increasingly sophisticated and automated as well.

For example, determining which mitigations to apply and when to apply them requires changes to the defense platform. If you can set only one policy level, it will simply be either weak or strong, and will require manual intervention to adjust for the attackers’ behavior.

However, if an adaptive, multi-level policy can be defined and executed, then the defense will automatically apply the appropriate mitigation policies. This will both minimize damage against real users and protect service availability.

The multi-level policy shown below features five levels of mitigations:

A10’s Five-Level Adaptive Policy

Flowchart showing how an automated defense reacts in both peacetime and wartime.

Another automation strategy would utilize machine learning to identify the pattern of the attacking agent’s traffic, create a filter on the fly and block DDoS traffic with no advance configuration or manual intervention. This approach is known as Zero-Day Attack Pattern Recognition (ZAPR), and can:

  1. Analyze incoming traffic.
  2. Identify common methods, or attack vectors, of malicious traffic.
  3. Automatically generate a custom filter to quickly block attacks with surgical precision.

A10 Networks’ Zero-Day Attack Pattern Recognition (ZAPR)

Diagram showing how Dynamic Attack Pattern Recognition works

Finally, defense systems can utilize IP reputation intelligence about DDoS weapons to block repeatedly used DDoS agents, known as DDoS weapons.

For example, A10 Networks’ DDoS weapons intelligence map class-list feed has identified more than five million open DNS resolvers with amplification payloads and upwards of 21 million DDoS weapons at the time of writing.

A10 Networks' real-time map of DDoS weapons and other threats

Together, those detection and mitigation strategies create an in-depth defense that’s capable of protecting both users and services.

Diagram showing the components of multi-modal defense

How Companies Can Defend Against DNS Attacks

So far, we’ve covered the main goals of DDoS defense, as well as the multi-modal strategies that can be used to achieve them. But what can companies do to protect themselves against DNS attacks in particular?

There are a number of viable defense strategies that can be used to protect against every type of DNS attack, including these categories:

These defensive measures can then be applied to the vast variety of DNS DDoS attacker strategies.

Diagram showing how defense systems use ZAPR to protect from various types of DDoS attacks

With many of those attack types, a pattern can also be extracted and applied to more effectively prevent against similar attacks in the future.

Let’s take a look at how a finished DNS DDoS defense system will process incoming traffic.

Diagram showing how a DNS mitigator processes incoming traffic

To protect against UDP floods, the DNS-UDP port type will drop all UDP floods that are not valid DNS requests.

To protect against spoofed DNS floods, the defense system will require authentication. This means that it will drop the first DNS request, and if the same request should arrive within a certain amount of time, it will be marketed as “authenticated.” Or, the system can force the session to switch to TCP.

To protect against water torture attacks, like those exhibited by the Mirai IoT malware, the defense system will only allow valid FQDNs. It will do this by configuring a domain list of those that are known and valid and reject any fake domains during the attack period. This can be done either manually with a predefined list or dynamically with a DNS zone transfer to the mitigation appliance.

To protect against overwhelming amounts of legitimate-looking queries, the defense system will establish a query rate limit allowed by a single requester. This will include an overall DNS query rate limit or a per-FQDN query rate limit.

To wrap things up, let’s examine five ways companies can achieve DNS resilience:

  1. Over-provisioned DNS: Expensive, complex and difficult to scale
  2. Commercial resilient DNS server: Lacks protection from volumetric attacks
  3. Cloud DNS: A pay-per-query system can result in companies being charged for DDoS attacks
  4. DDoS protection: This option is scaled for query performance
  5. Resilient DNS system: DDoS and DNS defense solutions work together to provide robust protection that’s scaled to the size of the DNS database.

Diagram showing the five ways companies can achieve DNS resilience

While all five choices are feasible, a resilient DNS system is by far the most far-reaching and comprehensive.

Although DNS services are certainly vulnerable, it is possible to protect them against all types of DDoS attacks, no matter how aggressive.

At a recent webinar, Don Shin and Jian Liu of A10 Networks came together to discuss the nuts and bolts of DNS DDoS protection. To learn more, watch the full webinar here.


|

July 11, 2019

About Donald Shin

Don has over 15 years of experience in the Networking and Security industries. Prior to A10, Don work in a variety of roles in R&D, product management, and marketing focused on network security, security efficacy testing, semiconductors and Cloud security.  He is passionate about helping customer's improve their security posture and speaks frequently at security conferences. READ MORE