BY Darren Anstee4 minute read

Names are important. And everyone uses the Domain Name System, whether you realize it or not. We need it to access everything and anything across the internet. One of the many things that DNS does is translate the human-friendly “names” of internet resources like www.netscout.com into an IP address like 146.88.245.215. This allows web browsers and other applications to communicate with whatever we’d like to access across one or more networks. This all happens behind the scenes for most of us.

DIVING INTO DNS Delving into a bit more detail, when our computer wants to resolve a resource name to an IP address, it communicates with a configured DNS (resolver) server. This could be within your home (CPE box), your enterprise or your ISP, or it can be a service offered by someone else such as Google or Quad9. If the DNS (resolver) server has recently been asked to resolve the same name, the result is “in cache” and it simply responds. If not, the server begins a recursive process of trying to find the right answer. I won’t go into how that works here, but the end of the road for this process is the authoritative DNS server for a given domain, such as netscout.com. This server knows the name-to-IP-address mapping for everything within one or more domains and will reply back to the resolver, which in turn responds to your computer.

The fact that this works every time is essential to our perception of internet availability. If a web browser can’t resolve resource names to IP addresses, then for all intents and purposes the internet is considered “down” by many end-users. Fortunately, there is redundancy and resilience built into DNS infrastructure to make a failure unlikely—but it can happen. You may remember the widespread “internet outage” of 2016 in North America. In actual fact, the internet was fine during this period. All of the pathways between the routers and switches across the various networks that make up our perception of the internet were carrying traffic as normal. It was DNS that was broken. A botnet made up of Internet of Things devices infected with Mirai launched a Distributed Denial of Service (DDoS) attack at an organization that ran the authoritative DNS servers for a large number of internet domains. This made name resolution impossible for those domains. The domains in question happened to be services that many of us access all the time—hence the perceived “internet outage” as these services became unreachable or, more accurately, unresolvable.

WHY LEADERS SHOULD CARE Why am I talking about this now? Because anyone who operates authoritative DNS infrastructure, both ISPs and enterprises, should be aware that sophisticated DDoS attacks targeting this infrastructure have reached unprecedented levels over the past year or so. We hear this from pretty much every one of our customers. DDoS attacks have of course been around for a long time and rely on a large number of attack sources sending malicious traffic toward a target, with the goal of making that target unreachable or unusable. You may have heard about DDoS before, but what’s changed recently is the complexity and frequency of attacks targeting DNS infrastructure.

Our company has unique visibility into the DDoS threat landscape, using data shared by around 500 ISPs around the world every hour, and we’ve seen a 243% increase in sophisticated DNS attacks over the past few years. The attacks that are doing a lot of damage are known as water-torture or pseudo-random prepend attacks. These attacks involve the generation of DNS queries for randomly or dictionary-generated resource names within a domain, for example, a.netscout.com, aa.netscout.com, aab.netscout.com, and so on. When an attack takes place, large numbers of devices will generate these queries, either sending them directly to the authoritative server for the targeted domain, reflecting them from other devices across the internet or simply sending them via their configured DNS resolver. The aim is to overwhelm the authoritative DNS infrastructure so that genuine requests can’t get through, making queries for the targeted domain unresolvable. For genuine users, this makes the service they are looking for unreachable, which is inconvenient, and for the organization behind that service, their business and reputation are damaged.

Unfortunately, this isn’t the only impact these kinds of attacks can have. Many authoritative servers support multiple domains, and that means that if one is targeted, many can be impacted. And, if queries are sent via ISP resolvers, then resources are consumed there as well, slowing down or stopping name resolution for an ISP’s customers and affecting their view of the service their ISP is providing. Water-torture attacks are a plague right now. WHAT LEADERS CAN DO The good news is that these attacks are well understood and can be defended against. If, as an enterprise, you do manage your own authoritative DNS, then ensuring you have on-premise defenses designed to defend your DNS infrastructure is essential. Generic DDoS defense likely won’t be enough, and cloud-based defenses may be too slow to react—you need something on-premise that understands DNS, and ideally uses response analysis to monitor what is going on.

One thing to remember, however, is that in many cases, the authoritative DNS for a domain is hosted by an ISP or DNS service provider, not the organization the domain belongs to. That means defending your own organization’s infrastructure from DDoS may not be enough. If you outsource your authoritative DNS to a service provider, it is key to ask them how they are defending their infrastructure. Simply building in lots of scale is very much a band-aid, relying on attacks not exceeding a specific level (and we’ve seen attacks over 80M DNS queries per second this year). DNS service providers need to have specialized DDoS defenses in place. DNS is critical to our use of the connected world, so if you operate authoritative DNS infrastructure or utilize a service provided by another organization, make sure that infrastructure has the right defenses.