For something so important, we take a lot of the services provided by Domain Name System (DNS) for granted. But DNS availability is critical for anyone providing services or content across the internet, and there have been a number of high-profile, high-impact attacks against DNS over the years. For example, the 2016 Mirai attacks against DNS service provider DYN impacted millions of users of services such as Netflix.
There are several types of common DNS attacks. The Mirai attackers used a distributed denial-of-service (DDoS) attack to make DNS unavailable. Using a technique known as Water Torture, the attackers used a botnet to generate DNS queries for millions of random hosts, putting a huge load on the DNS infrastructure and rendering it unavailable for genuine user queries.
Bad actors can also leverage DNS to attack third-party targets by using reflection or amplification attacks to generate large-scale volumetric attacks.
A DNS reflection/amplification attack uses a botnet to generate DNS queries using the source IP address of the intended DDoS victim. The DNS servers innocently send their large volume of responses back to the victim, creating traffic volume as much as 10 to 100 times higher than that generated by the original botnet. Once the limits on bandwidth for the network, server, or application are reached, the circuit becomes unavailable.
We recommend the following tactics to build a holistic defense strategy for defending against DNS DDoS attacks:
Current threat intelligence. Threat intelligence is a crucial tool for DDoS detection and mitigation. Security personnel and DNS administrators must not only be aware of the latest DNS exploits but also understand how the exploit works, and what it does to fully understand the impact on DNS infrastructure.
Regular audits. Proper maintenance is critical. Organizations must include DNS infrastructure in periodic, realistic tests of the organization’s DDoS mitigation plan, as well as regularly audit and properly configure DNS servers.
Network visibility. Companies must be able to quickly detect abnormal DNS traffic, including both application-layer and volumetric reflection/amplification DNS vector attacks. To accomplish this, you will need visibility and fast detection at Layer-3/4 and Layer-7 of the network.
Orchestrated mitigation. Companies can orchestrate multiple methods of mitigation, including their own network infrastructure, dedicated DDoS migration products, and for network operators, information sharing with other operators. By implementing such an orchestrated mitigation strategy, companies can strategically assign different methods of mitigation to different attack vectors.