Distributed Denial of Service (DDoS) attacks are a serious threat to an organization’s ability to attract, retain, and interact with customers. Simply put, a DDoS attack is designed to render an organization’s web presence inaccessible to legitimate users by overwhelming the underlying infrastructure with malicious traffic.
Traditional DDoS attacks are only becoming cheaper and easier to perform. The rise of the Internet of Things (IoT) and growth of cloud computing mean that cybercriminals have easy access to a great deal of Internet-connected computational power. These botnets can be tasked to send malicious requests to a website in volumes greater than the web servers can withstand.
However, the growth of cheap and easily accessible computing power is not the only way in which the DDoS threat landscape is evolving. Cybercriminals are also taking advantage of new tools and techniques to perform their attacks. One example of such a technique is the NXNSAttack. This attack takes advantage of the properties of recursive Domain Name System (DNS) servers to perform a DDoS attack against the victim’s DNS server. If this DNS server is not behind robust DDoS protection, it could become overwhelmed, leaving the organization’s website inaccessible to legitimate users.
The Importance of DNS Infrastructure
When using the Internet, most people don’t type in the IP address of the computer that they are trying to access. Instead, they type a domain name or URL, such as google.com. However, these IP addresses are what the client computer and the routers on the path between the source and destination computers require to ensure that the traffic reaches its intended destination.
DNS is the Internet protocol that enables the translation of domain names to IP addresses. The DNS infrastructure is organized as a hierarchy of servers designed to handle queries for a certain domain. This means that a query to resolve a particular website’s URL may require requests to multiple DNS servers (i.e. .com, google.com, etc.). In order for a website to be accessible to users, they need to be able to convert its URL to the IP address of the server hosting it. This requires every DNS server required to resolve the address to be online and reachable by a computer.
The 2016 DDoS attack against Dyn, a major DNS provider, demonstrates the potential impact of a DDoS attack against DNS infrastructure. During the attack, the servers hosting Dyn’s managed DNS service were targeted by a couple of DDoS attacks from the Mirai botnet. While the service was eventually able to overcome the attack, a significant percentage of the Internet became unreachable during the attack when the service was incapable of resolving the DNS requests of legitimate users.
DNS System Used in DDoS Attacks
DDoS attacks against DNS infrastructure are nothing new, as demonstrated by the 2016 DDoS attack against Dyn. However, the relationship between DDoS attacks and DNS services are not always those of attacker and target. Some DDoS attacks are designed to take advantage of DNS services to amplify the impact of the attack. A recently-discovered attack takes advantage of the hierarchical structure of DNS infrastructure. Recursive DNS servers are designed to pass DNS requests to authoritative servers that sit upstream to resolve the domain name into an IP address. These authoritative servers also have the ability to delegate this authority to other DNS servers.
The new attack takes advantage of this functionality to perform DDoS attacks. In this attack, the attacker will send a DNS request to a DNS server for which the authoritative DNS server is one under the attacker’s control. Upon receiving the request, the attacker’s DNS server will instruct the recursive DNS server to delegate this authority to a long list of fake DNS servers in the victim’s domain. In order to resolve the request, the recursive DNS server will then query the victim’s DNS server for each of these supposed DNS servers. As a result, the victim’s DNS server is hit with a huge amount of traffic from the recursive DNS server, degrading its ability to resolve legitimate DNS requests.
If the victim’s DNS server is unable to handle requests, then attempted visitors to sites within the victim’s domain are unable to translate their URLs to the IP addresses of the victim’s web servers. As a result, the victim’s website can become completely unreachable, and, potentially, employees may lose access to internal services on the corporate intranet if access to these services depends upon the corporate DNS server.
Protecting Against DDoS Attacks
An organization’s web presence is vital to its ability to do business. Customers increasingly prefer to browse and potentially make purchases online rather than visit physical stores. Additionally, many organizations are moving some or all of their customer service functionality to their website due to the increased scalability that it provides.
Cybercriminals have several different methods by which they can take a website offline via DDoS attacks. Attackers can either attack the website directly by sending requests to the web application or target the DNS infrastructure that the website relies upon to route visitors’ traffic to its web servers. As DDoS attacks become easier and cheaper to perform, they are likely to become even more common. Ensuring the availability of the company web presence requires deployment of robust DDoS mitigation solutions capable of identifying and blocking a range of different DDoS attacks.