On Friday Oct. 21, 2016, a DDoS attack shut down several popular internet sites. Users experienced slow access or no service to Twitter, Spotify, Shopify, SoundCloud, Reddit and The New York Times and others. The blackout—three waves of outages—was a result of a global DDoS attack on Dyn, the domain name service used by these sites. Dyn was able to mitigate the problem within six hours.
DNS also known as the Domain Name System is vital to the internet. You’re using DNS every time you check your email or update your Facebook page. So when a DNS server is under attack and becomes unreachable, every site it supports becomes unreachable as well.
Marc Gaffan, GM of the Incapsula product line at Imperva explains what a DNS outage means.
Imagine if all the street signs in the US suddenly vanished. Those who know where they are going are fine – the roads are fine. Those who need signs to navigate by are lost and unable to reach their destination. If you know the TCP/IP address of the server you are trying to reach (220.127.116.11) then you are fine; if you need to look up the TCP/IP address of randomsite.com, then you are unable to reach your destination.
DDoS attacks on DNS services have become more common over the past few months culminating in last Friday’s massive attack. The frequency of these attacks has increased the vulnerability of all DNS servers.
Attacks on the DNS
There are a variety of DNS attacks to watch out for. But they fall into two basic categories—DNS-specific and network-layer attacks.
DNS-specific attacks are also referred to as “NXDomain” attacks, where the attacker targets one (or more) domain name system server(s) belonging to a given zone. The hacker’s goal is to hamper resolution of resource records of the zone and its sub-zones.
How DNS-Specific Attacks Work
This kind of attack is accomplished by sending randomized sub domain queries in an attempt to overload the DNS servers and bypass any caching servers on the way.
Using Marc Gaffan’s earlier analogy of the DNS as directional street signs for the internet, DNS servers act as the roadmap of the internet, helping requestors find the servers they need. A DNS zone is a distinct portion of the domain name space in the domain name system. Here the administrative responsibility for each zone is delegated to a single server cluster.
Network-layer attacks also known as layer 3–4 attacks are almost always DDoS assaults set up to clog the “pipelines” connecting your network. Attack vectors in this category include UDP flood, SYN flood, NTP amplification and DNS amplification attacks, and more.
Any of these assaults can be used to prevent access to your servers, while also causing severe operational damages, such as account suspension and massive overage charges.
DDoS attacks are almost always high-traffic events, commonly measured in gigabits per second (Gbps) or packets per second (PPS). The largest network layer assaults can exceed 500 Gbps; however, 20 to 40 Gbps are enough to completely shut down most network infrastructures.
What’s the Difference between a DNS-Specific Attack and a Network-Layer Attack?
A DNS-specific attack targets the DNS servers themselves. Its volume is typically not as high as network-layer attacks, however it tends to be very packets-per-second (PPS)-intensive. Most security measures are unable to mitigate this kind of attack as it requires a technology that can inspect in-coming traffic at the application layer. In addition, since these kinds of attacks are very PPS-intensive it requires equipment with extremely high packet-processing capabilities.
Network layer attacks, on the other hand, are usually very high in volume and target the entire infrastructure aiming to cut the victim’s network from accessing the internet, including DNS servers. These attacks require a lot of capacity to mitigate, in addition to the right technology and expertise.
The Dyn attack was most likely a combination of these two types of attacks.
How to Mitigate Attacks on Your DNS Servers
There are ways to prevent DNS-specific and network layer attacks.
Large Layer 3 or network layer attacks are very difficult for on-premises solutions to mitigate as the attack clogs the server’s bandwidth upstream.
Incapsula mitigates network layer attacks by deploying its multi-datacenter network in front of a customer’s DNS authoritative server. This is done without making changes to a customer’s existing zone file settings.
With DNS Protection in place, Incapsula becomes the destination for all incoming DNS queries, which are scrubbed on their way to their origin.
Mitigating DNS specific attacks requires using mitigation technologies that is based on DNS servers such as DNS proxies. Having very high PPS-mitigation rates is an important aspect for a successful mitigation technology.
How Incapsula Mitigates DNS Attacks
Incapsula Name Server DDoS Protection turns Incapsula into your authoritative DNS proxy, while continuing to manage your DNS zone files outside of the Incapsula network. In addition, our infrastructure and IP protection services can help secure your entire infrastructure against any type of network layer floods.
With Name Server protection in place, Incapsula becomes the destination for all incoming DNS queries, functioning as a secure DNS proxy that masks protected DNS servers, while also filtering all incoming DNS queries.
Incapsula employs a combination of reputation and rate-based heuristics in order to inspect the incoming flow of DNS queries and filter out malicious DNS packets, without impacting any of the legitimate visitors.
Queries made to Incapsula-protected DNS servers are served via a global network of strategically deployed data centers.
Local data centers in close proximity to the DNS request origin are automatically selected to return DNS responses, resulting in accelerated website performance.
Customers can tune Incapsula for their specific business needs by setting their own custom thresholds. In certain situations users can also manually enforce DNS refreshes by refreshing all cached data or by selectively refreshing specific DNS records.