The machines that cried wolf: DDoS against DNS

Now that we’ve done an overview of the most common attacks against DNS let’s take a closer look at each. We’ll start with DDoS, as it is the most commonly cited (and often misunderstood) threat to DNS security.

What is DDoS?

DDoS stands for “Distributed Denial of Service,” and simply means that attackers overload the target with faux traffic to cause a shutdown of services.

In these COVID-19-defined times, you may have experienced DoS yourself: if you’re a parent, the 207th time your children come up to you with questions you might not answer. The first 206 were nonsense queries. Surely this one is as well? Maybe not, but at this point, your kids have successfully executed a DoS attack on your attention.

DDoS is not suitable for sophisticated targeting or data theft. As a brute force technique, it’s simple and relies solely on its massive scale. As a consequence, while a service outage can be costly, the ramifications of a DDoS attack rarely go beyond that. (But of course, combining DDoS with other attack methods can complicate things.)

DDoS against DNS

While DDoS isn’t specific to DNS, DNS is just as exposed to it.

DDoS can target any of the 7 levels of the OSI model. (Although the lower the layer, the more complex DDoS efforts become.) DNS is in Layer 7, as it’s an application (using the TCP/IP stack of Layer 4).

But because DNS is a critical part of the networking infrastructure, and inherently designed to be open and accessible by everyone, it’s a prime target for a DDoS attack -- and a successful attack can debilitate, through the DNS, the entire network.

The most common DDoS variants that target DNS are:

• flood attack: targets the network with queries prefixed with the target domain, causing network overload
• NXDomain (random subdomain) attack: targets authoritative nameservers with lookups for non-existent subdomains, causing the nameserver to drop legitimate queries
• protocol attack: targets the DNS server with malformed packets, causing extra processing load
• amplification: uses recursive DNS resolvers to amplify fake queries, causing the target to overload

Flood attacks are the odd one out in the list, as they’re targeting Layer 4 (the transport mechanisms themselves) instead of DNS on Layer 7.

DDoS: it’s simple, stupid, and predictable

Simple: DDoS is simple, and thus “limited” in its damage.

All DDoS variants rely on brute force, but the aim is not to exploit vulnerabilities and thus gain access to valuable data or infrastructure, but to shut down services for everyone. (Including the attackers themselves.)

This limits its effectiveness substantially, as service outages can be managed and weathered. That said, large-scale or widespread DDoS attacks (like the 2016 Dyn cyberattack) can cost in the millions of dollars and impacts hundreds of thousands of connected devices.

Stupid: because it’s simple, DDoS requires very little initial investment (resources or sophistication) from the attackers.

DDoS attackers take advantage of the fact of the unbalanced nature of network communications. A query is easy and cheap to execute, but the response can be disproportionately more complicated and expensive.

Because of this, DDoS attackers rely on simple scripts (running on often unsuspecting machines called a botnet) to wreak the maximum amount of havoc with little to no risk of exposure.

Predictable: while exposure is low, and prevention is limited, we can mitigate the damage of DDoS.

With a cheap attack opportunity and a perpetually vulnerable target infrastructure, DDoS cannot be entirely prevented. DDoS is possible because there are physical and software-defined limits in IT.

But because the attack vectors for DDoS are locked and predictable, there are ways to mitigate or prevent the damage.

DDoS mitigation

The attack vectors for DDoS are known. Inherent in the design and structure of networks, we cannot shut these vulnerabilities down. But we can strengthen and control them better.

DDoS prevention can take as many forms as there are attacks. As we’re focusing on DNS, we’re not covering security methods that exist on other layers, such as hardware.

DDoS attacks against DNS can be mitigated by setting up software-defined safeguards:

• Firewalls can be effective in filtering and blocking malicious traffic sources. They don’t scale well, but useful in diagnosing and delaying the full force of the attack.
• Blacklisting can cordon off proven or suspicious blocks of IP addresses. It’s worth noting that because the IPv4 address space is over-utilized and IPv6 adoption is lagging, blacklisting can easily prevent legitimate traffic from reaching your network.
• Rate limiting and Access Control Lists (ACL) in servers, routers, and switches are probably the most effective way of preventing DDoS attacks. They target the primary method of attack by limiting the number of queries (and auditing the source of queries) to services.
• Filtering can be used if the network infrastructure can spare the processing power to inspect packets. In corporate environments, especially, filtering is a highly useful method but can be circumvented by otherwise beneficial methods such as encrypted DNS traffic via DoT or DoH.
• Deploying redundancy reduces the level of vulnerability of the infrastructure, and creates options through readily available backup services that can share or take over the load.

Coming up: cache poisoning

DDoS is dangerous, but as we saw, its impact is limited, and its damage can be mitigated. DNS cache poisoning, our next topic in this security series, can be much harder to detect — and can result in damage a lot deeper than a simple outage.

We’ll cover cache poisoning, and how to identify and prevent it, in our next post.