The DDoS Education Series Part 4/4: The Overwhelming Scope of DNS Floods
The first two instalments of this series covered TOS Floods and SYN Floods, while last time, we focused our attention on Ping Floods. This final instalment in the education series looks at DNS Floods, what differentiates them from other kinds of DDoS attacks, and how to mitigate the effects of this kind of DDoS attack.
What is a DNS Flood?
Understanding a DNS flood needs a bit of background knowledge on Domain Name Servers in general. Imagine the internet is split into areas, and the DNS servers are how traffic finds its way around. Every online service relies on the servers being able to translate human language internet addresses which any of us might type into a toolbar (URLs) to IP addresses so that traffic is directed to where it is supposed to end up.
Like the other types of flooding attacks which we’ve discussed in the series, a DNS flood also involves a large amount of packet requests being sent, too many for the server to manage. In this situation, the spoofed packets are sent from a wide range of IP addresses, and the number of requests once again becomes overwhelming extremely quickly.
The difference between this kind of flood and the others however, is that by taking down just one DNS, many more websites and services are compromised. The most famous example of this is the 2016 attack on Dyn DNS service. “By flooding Dyn, the attack prevented traffic from reaching Dyn’s customers, including Amazon, Etsy, GitHub, Shopify, Twitter and the New York Times” reported NetworkWorld.com.
What’s the Difference between a DNS Flood and a DNS Amplification?
A DNS Flood is not the same as a DNS Amplification attack. In an amplification attack, the spoofed target becomes the recipient of larger DNS responses by the attacker initially sending out a small DNS look-up query with a spoofed target IP. The goal here is to bombard the network by exhausting bandwidth.
While a DNS amplification is asymmetrical, a DNS flood is a symmetrical DDoS attack. By being bombarded with UDP requests, the server side assets such as CPU or memory are compromised and overwhelmed. These requests can be generated by scripts from compromised botnet machines, often linked through the IoT.
In the case of Dyn for example, a botnet thought to be made up of close to 150,000 CCTV cameras was used, as for hackers, the default credentials left on devices such as these often make them simple to infect.
The Risks a DNS Flood Exposes
Studies have suggested that just one DDoS attack</a> like a DNS Flood can cost a company as much as $1.6 million, once you consider detection, mitigation, and customer churn. It’s also one of the top five reasons why companies feel the need to hire new staff, expanding their IT department to deal with the threat.
A DNS Flood is extremely effective with its intentions, and will quickly exhaust the DNS resources and bring down the server entirely. Alongside this, the victim’s internet access will seize, taking with it every single site which it hosts. Customers will lose either complete internet access, or access to the sites hosted by the CSP network.
The fear with DNS Flood attacks is the increasing scale and complexity which we are seeing. Raymond Pompon calls DNS the Achilles heel of the internet. “DNS is too important to do without, but it’s difficult to defend. This makes DNS services an excellent target for attack.”
How to Mitigate a DNS Flood
The alarming new wave of flooding attacks is also connected to the Internet Of Things (IoT). Progressively more “everyday devices” worldwide are increasingly more connected than ever, and your security services need to be built for protection. Your solution should guard your network thoroughly from IoT connected devices which are acting in any unusual way, alerting you to malfunction or misuse, long before you become a vehicle for cyber-crime. You can then automate control of the network usage your devices are allowed access to, keeping track of IoT behavior at the same time.
Any extensive solution should also provide surgical mitigation of any volumetric attack that may arise, allowing DDoS threats to be caught immediately in real time, and neutralized before they have the chance to affect your network or quality of service. This not only allows legitimate traffic to be routed seamlessly, but it can protect your network infrastructure and stop any blacklisting of your ISP domain to prevent reputational damage.
Missed any of the articles in our DDoS Education Series? Check out the archives here.