Revealing Adversary Methodology
In addition to using a multitude of DDoS attack vectors, threat actors also employ various attack methodologies against targeted organizations. For example, DNS query floods were first observed in the wild in 1997, but since that time they have evolved, with varieties of DNS water torture attacks (floods of DNS queries for nonexistent records) becoming commonplace. When carpet-bombing attacks—in which entire networks are targeted instead of just specific hosts on those networks—first debuted in 2017, ASERT researchers quickly issued mitigation guidance to customers and the operational community.
Carpet-Bombing Deep Dive
A sudden resurgence in carpet-bombing attacks prompted our researchers to investigate this tactic, and since the first week of 2023, we observed a 55 percent increase in daily carpet-bombing attacks, from an average of 468 per day to 724 per day. It should be noted that these figures are conservative and are based on high-impact attacks on ISP networks. Given the nature of these attacks—adversaries intentionally spreading traffic to multiple hosts, thus decreasing bandwidth rates and avoiding traffic threshold alerts—it is highly plausible these numbers are an order of magnitude lower than the actual number of carpet-bombing attacks present on the internet.
Carpet-Bombing Attacks: A Breakdown
ATTACK METRICS
Average Attacked IPs & Prefix
Maximum Attacked IPS & Prefix
Average Attacking Source IPs & Prefix
Maximum Attacking Source IPs & Prefix
Average Attack Duration (Minutes)
Maximum Attack Duration (Minutes)
Because carpet-bombing attacks are designed to target a broad network footprint, it is no surprise that wired and wireless telecommunications and cloud hosting providers bear the brunt of these attacks as they spread across their networks. Most of the reflectors/amplifiers used to launch these attacks are sourced from the very same networks they target.
DNS amplification features most prominently in carpet-bombing attacks, but perhaps slightly more surprising is that STUN amplification is a close second. That is, until we realized that STUN is necessary for Webtrp-based VoIP and video communications leveraged by services such as FaceTime, Skype, and Teams. This means that, like DNS responses, it cannot be filtered wholesale at the network edge.
Previously, carpet-bombing attacks were almost always univector UDP reflection/amplification attacks. In the last 18 months, however, we have observed an uptick in the use of TCP reflection/amplification with carpet-bombing attacks.
DNS Query (Water Torture) Flood Deep Dive
Although application-layer protocols such as HTTP(S), Quick UDP Internet Connections (QUIC), Session Initiation Protocol (SIP), and others receive the lion’s share of attention in most discussions of internet traffic, the control plane of the internet—the glue that holds it together and facilitates global end-to-end communications—often is overlooked. And yet, without the functionality DNS servers provide, the network of networks that comprise the global internet wouldn’t function.
What is the glue that holds it all together? The Domain Name System, or DNS, which serves as the internet’s address book, mapping (mostly) human-friendly names into IP addresses so that devices, applications, and services know where to send packets.
Since 1997, attackers have been launching attacks against DNS servers to disrupt applications and devices. After all, if the name of a website, online game service, or streaming video provider can’t be resolved, the effect is the same as if the actual service itself has been successfully attacked. This is also the case with key enterprise properties such as corporate web servers, collaboration services, and VPN concentrators: If an enterprise’s authoritative DNS servers are successfully disrupted, the entire organization is, for all practical purposes, unreachable. Unfortunately, many organizations fail to include DNS servers in their DDoS defense plans.
What is a DNS Query Flood?
Most attacks against DNS servers consist of floods of DNS queries intended to overload the servers and render them unable to provide name-resolution services for legitimate users. These DNS query floods can potentially target any sort of DNS record in the domain under attack, but the most effective attacks involve high rates of queries per second (qps) for nonexistent DNS records. Not only do they directly consume the capacity of attacked DNS servers to answer legitimate queries, but they also cause targeted DNS servers to generate (in the case of authoritative DNS servers) or forward (in the case of recursive DNS servers) negative responses indicating that the records being queried don’t exist. This greatly increases the load placed on DNS servers subjected to DNS query-flooding DDoS attacks, making the attacks even more effective.
What is DNS Water Torture?
Beginning in 2009, a particularly effective methodology for generating DNS query-flood DDoS attacks was increasingly observed in the wild. In these DNS “water torture” attacks, pseudorandom-generated DNS labels are either prepended to extant DNS records or are substituted for a label in a DNS record. Dictionary-driven label-substitution attacks, which rely on dictionaries of plausible-seeming but ultimately nonexistent DNS labels that can be substituted for legitimate labels, are less prevalent but can be even more challenging for unprepared defenders to counter.
Historically, a significant proportion of DNS query floods were spoofed, but the reduction in spoofable network address space, revealed in our 2H 2022 report, has made this more difficult to accomplish. Increasingly, attackers are reflecting DNS water torture attacks via the same abusable open DNS recursors that are leveraged in DNS reflection/amplification attacks, which offer the benefit of obfuscating the actual IP addresses of the DDoS botnets and attack harnesses used to generate these attacks.
DNS Attack Analysis
DNS water torture attacks rose from an average of 144 daily attacks at the start of 2023 to 611 at the end of June, marking a nearly 353 percent increase in only six months. The highest-impact attack involved ~89.4 million queries per second (mqps), a 51.1 percent increase in attack impact over the same period in 2022. A decrease took place at the start of 2023, but our observations indicate that these attacks were once again on the rise toward the end of 1H 2023. This indicates that although variability in attacker motivations leads to some seasonal variations in targeting, DNS water torture attacks inevitably climb back up and continue to remain high-impact attacks that are highly disruptive to organizations unprepared to defend their DNS infrastructure.
DNS Attacks: A Breakdown
On a regional basis, EMEA received most attacks, with North America and Asia-Pacific in second and third place, respectively.
The wireline and wireless broadband access ISP/cloud/VPS/hosting/colocation, and insurance sectors were especially hard-hit by DNS water torture attacks during the first six months of 2023.
Given the diversity of attacked industries, it appears that both ideologically motivated threat actors and DDoS extortionists intent on monetary gain attack DNS servers to cause disruption to the online properties and activities of organizations in their crosshairs.
Worse, the increasing prevalence of well-known open DNS recursive services as sources in these attacks is concerning and may indicate that adversaries are intentionally trying to smuggle traffic past network operators responsible for securing DNS resources. Not only does that present more sophisticated adversaries, but DNS water torture attacks reflected through these services are more challenging for defenders to mitigate due to the intermingling of attack traffic with genuine DNS queries originating from legitimate sources. It is imperative that organizations ensure their authoritative and recursive DNS infrastructure is included in DDoS defense plans and reviewed regularly.