How DDoS attacks use DNS as a weapon

What is a DDoS attack?

Denial of service (DoS) attacks and distributed denial of service (DDoS) attacks are two forms of the same thing. In both cases, attackers flood internet servers with so many requests that they simply can’t answer them all, and the system crashes as a result.

Consider the example of a ticketing website.

When a music promoter is advertising niche acts in small venues, the system can easily handle the normal traffic of people buying tickets online. Its bandwidth is sufficient.

Then the music promoter announces a rare show featuring Adele, to be performed in a stadium that seats over 100,000 people. Everyone expects the show to sell out, so they wait for the exact moment that tickets go on sale. When that moment comes, everybody tries to enter the website and buy tickets at the same time. Ticketing resellers make it worse by training a bunch of bots to automatically log in, imitate legitimate users, and buy tickets en masse.

The site, which is used to handling smaller shows, simply can’t deal with all of the inbound requests. It only has so much bandwidth to spare. Lacking the resources to deal with all of these queries, the system overloads and eventually crashes.

What is the difference between DoS and DDoS?

A simple denial-of-service attack uses one computer and one internet connection to flood a remote server. As network bandwidth increases, these attacks are less and less effective – a single computer simply can’t produce enough queries to overwhelm today’s high-capacity systems. Some types of DoS attacks can also be attributed to a single IP address or server location, making them a problematic option for attackers who want to cover their tracks.

A distributed denial-of-service attack (DDoS) is when attackers target a site using multiple computers and internet connections. Successful DDoS attacks are those spectacular web crashes that bring critical business services to their knees. More often than not, DDoS attacks add compromised computers to part of a botnet that runs malicious queries in the background. (See below for more information on how botnets operate.) When they want to execute a DDoS attack, malicious actors can harness the power of computers and internet of things (IOT) devices from around the world to query the target network all at once.

The three types of DDoS attacks

While they share a common goal, not all DDoS attacks are alike. Looking under the covers at the technical means they employ, there are actually three sub-types of DDoS attacks:

• Protocol attacks – This attack cripples actual server resources or other intermediate communication equipment like firewalls and load balancers.
• Application layer attacks – The goal of this type of attack is to crash the web server. The attacker sends requests that seem legitimate and harmless, but actually exploits the target’s vulnerabilities.
• Flood attacks – Flood attacks include UDP floods, syn floods, and other spoofed-packet floods and aim to make a server unavailable to real traffic by ‘flooding’ the targeted server’s resources.

In each case, the targeted organization is flooded with requests, removing its presence on the internet. This prevents all valid traffic from getting through.

Here’s a quick video overview of how DDoS attacks turn your network into a weapon, as described by BlueCat’s Chief Strategy Officer Andrew Wertkin:

DNS makes an effective attack weapon

What’s the common thread in all of this? The Domain Name System (DNS). DNS is the protocol used to locate remote servers and then transmit information across the internet. Bad actors know that DNS makes a great weapon in producing the massive amounts of traffic that can take down entire networks.

1. DNS is easy to launch: The protocol is easily accessible. It doesn’t take a lot of compute to generate a lot of DNS data.
2. DNS is easy to hide: There are tons of open resolvers on the internet that can recurse traffic to a target. Source addresses can easily be spoofed, which contributes to the many cases of DNS spoofing (or DNS poisoning) attacks online. As DNS is an unencrypted protocol, it is easy to intercept bad traffic and difficult to defend against.
3. DNS as an amplification attack: DNS attacks can be amplified at a ratio of about 70:1. That means for every 80 bytes going out, DNS can generate approximately 5.6 kilobytes in an attack.
4. DNS is open: The whole idea of DNS resolvers is that queries should actually go through – the system has to be open to the outside internet and at least entertain every request that comes around. You could thwart a DDoS attack by closing off DNS, but then you’d have no way to process any request – either from a legitimate user or an illegitimate one.
5. DNS is usually unmonitored: Believe it or not, most security teams don’t monitor DNS for potential security issues. Most see the protocol as so old that they simply take it for granted. It’s just supposed to work, and when things on the network operate as planned, they tend to slide into the background of priority lists. Attackers know this: studies show that 91% of all malware attacks use DNS.

Unfortunately, DDoS attacks are very common. While security companies have found ways to cut down the damage, they haven’t found a way to thwart the tactic itself. It’s been over a year since a massive DNS DDoS attack on Dyn succeeded in bringing down Twitter, Netflix, Reddit, CNN, and others. Like every DNS DDoS campaign, the goal is to generate huge volumes of unwarranted traffic aimed at DNS servers until the overload literally takes them offline.

How do massive volumes of traffic get generated?

Traffic can be launched through one’s own power, then drive DNS traffic through open resolvers. More commonly, hackers leverage others’ resources through botnets.

Botnets are the scourge of the internet. Controlled by a single source, botnets carrying malware scan systems for vulnerabilities with the goal of infecting as many devices as possible. Botnet command-and-control then instructs those many affected devices to launch a massively distributed attack on the DNS of unsuspecting enterprise service providers.

It’s not uncommon for a large botnet strike to involve hundreds of thousands, if not millions, of hosts. More hosts means larger payloads of IP queries. Due to poor security, it’s a scenario that’s becoming all too familiar. It’s how perpetrators of the Dyn onslaught found easy access to vulnerable IoT devices to contribute to the chaos.

Additional traffic can be generated using reflection amplification with spoofed IP addresses. It makes them look as if they’re coming from legitimate sites like the US government. That causes the target server to answer millions of fake queries. It gets truly scary when the host within the enterprise is infected, unwittingly taking part in attacking its own infrastructure!

DNS used as a weapon is fairly easy to launch but very difficult to mitigate. It’s even more difficult than when your DNS is recruited as a facilitator or hostage for malicious cyber activity. And that’s two other ways DNS is leveraged to wreak havoc on your enterprise.

DDoS protection: The basics

DDoS attacks will happen regardless of what you do. Malicious actors are going to keep leveraging this type of attack as long as it’s effective. So “protection” is probably the wrong word. It’s really more about how your DNS infrastructure copes with a DDoS attack – your ability to perform DDoS mitigation quickly. Here are some basic thoughts on what you can do about these kinds of attacks.

Pay attention: Monitor your DNS! If you know what’s going on in your DNS logs, you can prevent your network from being used to attack others.

Gain control: With a DNS security system in place, you can pick and choose which DNS requests are actually allowed to resolve successfully. There are many kinds of DDoS protection services and DDoS protection solutions out there, but they all have one thing in common: They monitor the DNS protocol and use it to regain the upper hand.

Use resilient infrastructure: There are many ways that DNS architectures can be used to add bandwidth or divert malicious queries in the case of a DDoS attack. These solutions get pretty technical and will depend to a great extent on what you’re willing to pay and how the network is constructed. It’s best to talk to a DNS expert to find out how your DNS infrastructure can help to avert these sorts of attacks.

Learn more about BlueCat’s DNS security offering and how our DDI solutions help to prevent DDoS attacks.