Defending Against DDoS Attacks

Distributed denial of service (DDoS) attacks targeting the DNS increase in volume every year. The DNS is a mission critical network service and organizations, particularly service providers, cannot afford to have their customers down or their internet servers unavailable.   The impact of today’s DNS DDoS attacks includes lost revenues, lost customers and brand damage.  Defending against DDoS attacks that target the DNS requires a highly available, attack-resistance DNS infrastructure.

Types of DNS DDoS Attacks

There are many different types of DNS DDoS attacks, but the most common that are specific to the DNS include:

  • Direct floods
  • Reflected, amplified floods
  • DNS application attacks

Direct Floods

This type of attack occurs when a large number of bots make more requests of the DNS server than it can handle. This causes the DNS server to drop inbound DNS requests (in the case of UDP), or refuse to establish new connections (in the case of TCP), thus achieving a denial-of-service condition for legitimate users.

Reflected, Amplified Floods

Reflected floods send specially crafted queries to other DNS servers on the internet with a victim’s spoofed source IP address. The victim receives a barrage of query responses that can overwhelm the server. In the case of a reflected, amplified flood, the queries are crafted so that the response is much larger then the query, resulting in a torrent  of large DNS responses being sent to the victim, usually with the goal of consuming available network bandwidth and making the victim unreachable.

DNS Application Attacks

This type of attack attempts to exhaust some critical internal resource by sending carefully constructed queries to the victim. A Pseudo Random Subdomain (PRSD) attack is one example of a DNS application attack. In this attack, the victim is sent queries for a fictitious subdomain of a valid internet domain. First the authoritative servers go offline and then the resolvers spend considerable CPU and network resources to query and retry each of the authoritative servers for the valid domain. Some resolvers run out of CPU or network resources and are forced to drop incoming queries, causing a denial-of-service.

Defending Against DDoS Attacks

Organizations have historically used firewalls, routers, security devices such as IPS systems or dedicated DDoS mitigation equipment for DDoS attack defense. But these solutions add cost, complexity and latency to the network and are only partially successful. Defending against DDoS attacks that target the DNS should be done with a self-protecting server that can find and mitigate the attacks themselves INSIDE of the DNS.

Self-protecting DNS servers

Secure64® DNS Authority and Secure64® DNS Cache are authoritative and caching servers that are purpose-built for security, non- BIND based, and which protect themselves from high volume DNS DDoS attacks. The servers identify and block attack traffic while continuing to respond to DNS queries from legitimate resources. They use six levels of protection against DNS DDoS attacks.

The graph below shows the six levels of protection against DNS DDoS attacks found in Secure64 DNS Authority and DNS Cache. To learn more about it, download the Secure64 white paper, “Surviving DNS DDoS Attacks”.  To learn more about Secure64 DNS Authority, click here; to learn more about Secure64 DNS Cache, click here.

The Six Levels of Protection Against DNS DDoS Attacks in Secure64 Servers

The IoT Drives DNS DDoS Attacks

The Internet of Things (IoT) is the long-awaited linking of smart devices to the internet so that they can send and receive data.  Unfortunately, the IoT was built with virtually no security, which enables cyber criminals to utilize IoT devices to participate in massive DNS DDoS attacks. The firmware of the devices  is small, so adding security to it is a challenge.