Defending Your Local DNS Infrastructure

The Challenge

A good example of the devastating effects an attack targeting DNS infrastructure can have was the well-publicized Mirai botnet campaigned against DYN at the end of 2016.

DYN, now a part of Oracle, was a provider of DNS services to a number of well-known Internet brands, and when its infrastructure was hit by a number of massive DDoS attacks in a very short period of time, millions of users could no longer reach the web services of those brands.

Although the DDoS attacks did not target the web servers and infrastructure of the affected companies directly their URL’s could not be resolved into IP addresses. As a result and for all practical purposes, these websites were not reachable by users and appeared to be down.

The attack against DYN DNS infrastructure used an application- layer DDoS vector known as “water-torture” where the Mirai botnet generated DNS queries for millions of random nonexistent hosts such as aaaa.Netflix.com, bb.Netflix.com, ccccc.Netflix.com and so on. This put a huge load on the Authoritative DNS infrastructure, in this case provided by DYN, causing it to become unavailable for genuine user queries.

According to findings in the NETSCOUT DDoS Threat Intelligence Report for the second half of 2022, DNS query flood (DNS water torture) attacks are one of the vectors of choice for today’s attacker. Many malicious users engage this vector to disrupt an organization’s communication. In the world of human torture, water torture consisted of pouring drops of water on a person’s forehead for a period of time. The drops were purposely timed unequally so if the victim tried to anticipate when the next one would hit, they could not. This impacted their mental capacity, and eventually lead to a level of psychosis.

Digitally, instead of random water drops, attackers launch DNS water torture attacks (aka NXDomain, DNS Flood, DNS Exhaustion attacks) consisting of the multiple random nonexistent domains that are used to exhaust the DNS Server infrastructure (e.g. DNS Resolver, Authoritative Name server). Understandably, the DNS server cannot find the IP addresses provided because they are nonexistent, so it submits recursive requests up the DNS hierarchy until it reaches the authoritative server of the target domain. Because the subdomain does not exist, the authoritative server sends back a “nonexistent domain” or “NXDOMAIN” response and puts an entry into its cache. The cache is designed so that if another request comes in using the same domain, the response time is decreased for the user. The term time-to-live (TTL) describes the time that a DNS record is returned from the cache. In this context, TTL is a numerical value set in a DNS record on the authoritative domain name server for the domain.

It defines the number of seconds that a cache server can provide its cached value for the record. When the defined number of seconds have passed since the last refresh, the caching server will reach out to the authoritative server again and receive the current – and possibly changed – value for the record. The same entry gets added to the DNS resolver. By employing a botnet the nonexistent domain requests can be multiplied and ultimately the DNS servers cache will fill with these NXDOMAIN entries causing it to be unable to resolve legitimate DNS requests, essentially cutting off services to legitimate users and customers.

The Importance of Application-Layer Visibility

The water torture technique detailed above was employed in the DYN attack using a low-volume application-layer methodology. Having the ability to quickly detect, analyze, and mitigate application-layer threats to DNS infrastructure availability requires on-premise always-on edge protection.

The Solution

To defend against DDoS attacks targeting DNS services at the enterprise level, it is key to quickly detect any kind of DNS vector attack before it breaches your on-premise DNS infrastructure. This is especially true with application-layer attacks since they mimic legitimate traffic and are frequently under 1 Gbps in volume. The research in the NETSCOUT Threat Report referenced above, indicates that in general, 72 % of all DDoS attacks that are under 1 Gbps and fall into a low-priority category for upstream DDoS protection providers and may go unmitigated because they are perceived to result in minor collateral damage. When in reality they can be exceptionally disruptive to small enterprises. This can also be true with on-premise security devices if not purpose built to understand DNS attack methodology. Additionally, these attacks have been encountered as a facet of the new dynamic multi-vector intrusions being employed to defeat defenses within the upstream and local security infrastructure. NETSCOUT provides Adaptive DDoS protection to effectively block dynamically changing DDoS attacks including those that may have evaded existing defenses with a repeating closed-loop analysis that employs a patent-pending machine learning-based algorithm to prepare recommendations and countermeasures to adapt defenses to efficiently stop these evolving DDoS attacks. So, having on-premise, always-on purpose built DDoS protection with proven DNS mitigation capabilities on the edge of your network in front of local DNS servers augments DNS protection efforts and is required to stop these attacks.

Summary

By leveraging NETSCOUT’s technologies, expertise, and experience in protecting the worldwide DNS infrastructure, enterprises can count on having the internet “always on,” keeping customers and stakeholders connected.