Protecting DNS From DDoS Attacks
I’m happy to be writing my first – of hopefully many – blog posts for A10 Networks. I’m a principal engineer working to help define, develop and evangelize A10’s DNS-focused solutions. The exciting part of this role is to see how A10’s high-performance platform can be leveraged to build innovative DNS solutions.
Today, I’d like to focus on A10’s high-scale DDoS defense for DNS services, which uses the protection and filtering capabilities of the A10 Thunder TPS platform. As you’ll read, it’s an important topic. Here we go.
DNS Is Critical Infrastructure
First, let’s state the somewhat obvious: the Doman Name System (DNS) is a key service for all internet players: infrastructure providers, application owners and internet users.
In its simplest form, DNS is like a phone book for the internet: it matches the website name a user is seeking to the correct IP address. For example, the domain name A10Networks.com syncs with that website’s IP address to deliver the site requested. DNS eliminates the need for web users to remember a website’s cumbersome IP address, which in this example is 184.108.40.206.
It’s estimated that there are more than 300 million domain names keeping billions of internet users connected. And the internet wouldn’t work without it.
The problem is, DNS has a lot of moving parts, which makes it a critical target for attackers, and something organizations must protect.
Think about it, as an application owner, your investment in web-based and database service availability can be side-stepped by attacks on DNS infrastructure. Essentially, a distributed denial of service (DDoS) attack on your DNS infrastructure could render your website or your applications completely unreachable. That’s a major fail.
Hence why attackers target DNS servers: the fallout can be catastrophic. For a smart threat actor, that means a small amount of work can cause a heck of a lot of damage.
That why it’s increasingly important for network operators to adequately defend their DNS infrastructure and protect it from DDoS attacks, lest they suffer the consequences.
Recursive vs. Authoritative DNS Servers
Protecting DNS from DDoS attacks starts with understanding the two types of DNS servers: recursive and authoritative.
Recursive DNS servers provide the correct IP address of the intended domain name to the host that requests it. It’s like calling the telephone operator (you know, like in the dark ages) and they look up the number for you from various sources. Recursive servers are the helper server.
Authoritative DNS servers provide answers to the recursive servers with IP mapping data of the intended website. Think of authoritative DNS servers as the catcher or receiver – it holds the information and passes it on to the recursive DNS server.
DNS as an Attack Target
DNS can be targeted by attacks for covert resource usage or data exfiltration, but the biggest threat is DDoS attacks. If DNS is imperative for your application or website to work, knocking DNS services offline is a deathblow.
Generating a DDoS attack against DNS infrastructure is relatively simple – an attacker sends queries that look like legitimate users to DNS servers and those servers attempt to return responses. This is done at volume, often with botnets, to overwhelm DNS services.
The most common types of attacks against DNS infrastructure are network floods and resource-exhaustion. During these types of DDoS attack, an attacker targets a DNS server and overpowers it with seemingly legitimate traffic hampering its ability to process requests.
Because DNS responses may require complex processing, it presents unique opportunities for volumetric attacks. Additionally, DNS attacks can be easily spoofed due to the UDP-based transport mechanism, and spoofed attacks are difficult to detect. DNS servers can be further strained by attempting to answer queries for domain names that don’t exist.
DNS is also subject to amplification attacks due to significant disparity in query-to-response size, and reflection attacks that use millions of unsecured open DNS resolvers.
For example, an attacker can send a 60-byte query that generates a 6,000-byte response, and when such a query is repeated at a high rate using spoofed source IP addresses or co-opted agents, the result can be a massive DDoS attack that overwhelms the DNS service.
Network admins are challenged to implement DNS defenses that can distinguish legitimate users from attacking agents to block nefarious activity and ensure smooth operation without disruption. That’s where A10 Thunder TPS comes in.
How A10 Helps
Thunder TPS provides surgical multi-vector DNS DDoS protection to ensure the availability of business services at any scale. Thunder TPS delivers mitigation for general network attacks along with protection for DNS-specific vectors. Translation: Thunder TPS protects your network, applications and your DNS servers from those colossal DDoS attacks you’ve been reading about.
How does it do this? Thunder TPS offers source and destination-based filtering and limits; invalid and malformed packet detection; mitigation mechanisms to automatically escalate from peacetime policy through multiple levels of DDoS mitigation policy.
And when it comes to DNS-specific vectors, Thunder TPS protects on multiple fronts.
It limits random query name rates. Random query name comprises a number of different DNS-specific attacks, including Water Torture and Phantom Domain attacks, which are among the most common and problematic types of DNS attacks. These are particularly effective against DNS caching appliances that are deployed to increase performance.
Thunder TPS features UDP- and TCP-based query authentication mechanisms that allow Thunder TPS to automatically identify and mitigate sources of malicious traffic.
And, Thunder TPS restricts costly queries with limited practical utility. It also rate limits queries per domain or by DNS record type. This matters because it prevents attackers from hammering a specific domain name with queries with the aim of causing collateral damage to other domains by bringing the whole DNS server farm down. Some of A10’s hosting and DNS registrar customers have noticed that the attacker even buys a few nonsensical domain names from the provider, under a bogus company name, then hit those domain names to cause the collateral damage.
Providing DDoS protection and mitigation is a key first component of operating a resilient, DNS infrastructure. This was just a quick overview. If you’d like to learn more, we recently published a solution brief on this topic.
Read more about A10 Thunder TPS in our data sheet.