This article is more than 1 year old

DDoS DNS attacks are old-school, unsophisticated … and they’re back

So why would you handle them on your own?

Sponsored Feature Ransomware may currently be the biggest bogeyman for cybersecurity pros, law enforcement, and governments, but it shouldn't divert us from more traditional, but still very disruptive threats.

Take distributed denial of service (DDoS) attacks, for example. Hacktivist groups were notorious for flooding their targets with traffic in the noughties, slowing down websites or forcing them offline altogether. And it might be easy to fool ourselves into thinking that DDoS is no longer a threat, thanks to improved mitigation techniques and angry young hacktivists pouring their energies into other forms of protest.

But this would be complacent in the extreme. Cloudflare research showed a "massive spike" in application layer DDoS attacks in Q1 2022, while network layer attacks also jumped substantially. In the fourth quarter, "despite a year long decline", total DDoS traffic was still up 79 percent year on year, Cloudflare reported. And application layer attacks were up a similar amount in the same period.

Much of this recent activity can be classed as political, fueled by Russia's war in Ukraine. European organizations were hit particularly hard in the fourth quarter for example, with government and critical infrastructure organizations heavily targeted.

The DDoS attacks themselves are getting bigger, says Klaus Darilion, head of operations of the anycast service RcodeZero DNS, because the internet itself is getting bigger and attackers have more bandwidth to play with. They're also more automated, he continues, with hackers targeting multiple companies at the same time, constantly searching for weak points.

It's one thing to flood an organization's public-facing web page with traffic, effectively forcing it offline. But these volumetric attacks are well understood, as are the mitigation techniques needed to frustrate them. Moreover, while a retailer or financial institution clearly suffers if their main page is taken off-line, that's not necessarily the case for other organizations.

Which means cyber criminals are casting their net much wider. In the case of last year's incidents, Darilion says, "They made volumetric attacks, just to fill up the bandwidth of certain companies. But they also made random subdomain attacks and high DNS query rates to overwhelm authoritative DNS servers and fill up state-tables of firewalls."

This can prevent an organization not just doing business online, but doing any business at all. Darilion explains, "DNS is a rather simple application. You cannot steal data or things like that." But attacking an organization's DNS servers - the systems which translate users' domain queries into IP queries, and ultimately determine what server they route to - can lead to timeouts and cripple key services, such as websites and email.

"Maybe the public website is still working. But if the DNS is under attack, or the internet connectivity of a big office is under attack, then there are thousands of people sitting around who cannot work anymore." adds Darilion.

When your DNS isn't working, neither is anyone else

So while DDoS attacks might not be a new or "emerging threat", they remain potentially disruptive, and they're not going away. Organizations simply have to deal with the threat on a day to day basis.

For many, the first defensive move will be to put everything behind a firewall. But with DNS attacks in particular, Darilion says, "It's not always good to have a firewall or lots of application logic in front of a DNS server."

A DNS attack can see the firewall handling upwards of one million queries per second. "It's a lot of work for firewalls, because they're stateful. They have to remember all the packets coming in and going out and have to match them up. And then suddenly, the firewall is overcrowded." And if no-one can come in, the DNS is effectively down anyway.

Companies are well aware of the importance of mitigation for mainstream DDoS attacks on their website and will turn to the likes of Cloudflare or other providers to protect them.

But, says Darilion, they're often unaware just how much of a target DNS name servers really are, even though the same logic applies. Unless you're a really large company like Microsoft for example, it just doesn't make sense to have your name servers on your own network. Rather it's a better idea to have someone else take on the burden of operating, or at least protecting, your DNS infrastructure. "Put it somewhere outside, in front."

But not all DNS providers are created equal. And it's not simply a question of scale. The anycast service RcodeZero DNS equates to 50 servers worldwide. These are "oversized", says Darilion, by a factor of up to 50 "Because you have to size them not for the usual traffic but for the high-volume attack traffic."

Hyperscalers will have many, many more. But the number of servers is less important than the speed of response. This is where RcodeZero DNS's global routing expertise comes into play in protecting customers from attacks, as well as other forms of disruption.

"If your customers are in the US, you want them to end up on our servers in the US, not in Europe," says Darilion. Arranging this is not easy, and requires careful tuning of a provider's DNS anycast network so that customers reach the server that is closest to them.

In addition, physical server location comes into play, reports product manager, Christian Schöpp. "Our servers are close to the internet exchanges and not where the electricity is cheap in the middle of nowhere in Ireland."

RcodeZero DNS's SLAs for response times on DNS queries are up to 50 milliseconds, but the standard is below 25. "In Africa, where all the routing is around the continent and not through the continent, 100 milliseconds is good," adds Darilion. "In Europe, 20 milliseconds is good."

When it comes to network tuning, Darilion says, "You have to understand why ISPs route packets this way or that way. Once you know that you can fine tune your service. And the second thing is you have to monitor it."

Any day could be the day that a service provider experiences a cable cut, and has to buy some capacity from another vendor, with the result that traffic is suddenly rerouted via Africa to Europe, for example. If that happens, the provider firstly has to detect it. Then its team has to dig in to understand the problem, and how to work around it. "Then we can take the countermeasures to tweak the BGP routing so that the packets should go the proper way." says Darilion.

When it comes to DNS attacks, most traffic comes in via Public DNS Resolver services, but blocking this source would mean blocking giants like Google or Amazon. "For the application layer attacks, we have our own intelligence to filter them out."

Hello DDoS my old friend …

In the best case, this is done automatically by RcodeZero DNS's software. But sometimes it has to be done manually, because you cannot implement a mitigation against all kinds of unknown attacks.

This comes down to understanding the baseline of traffic. An increase above a certain threshold or within a certain domain will trigger mitigation action. "Every time you have to filter something out, of course, it takes CPU power, and so on, and you want to focus on the zones where you really are under attack," explains Darilion. "Luckily attacks are so high volume that we can easily spot it."

Of course, sometimes an organization will actually be seeking traffic, for example via advertising, or will be lucky enough to have a social media post go viral. But Darilion points out, these will be straightforward DNS requests for the main company website.

"But if you have queries for a really random subdomain then you usually know it's either an attack, or it's some kind of penetration tester, testing the infrastructure."

Aside from this, says Darilion, there are other more mundane reasons to "get your DNS server out of your bedroom, and into someone else's house altogether."

"It's not only about installing a name server," he points out. You have to maintain and upgrade the hardware, and ensure software is up to date and patched. "So if you just outsource the service, you don't have to think about these things."

Well, up to a point, anyway. It might be the case that people don't actually think about DNS DDoS attacks day to day, because they're part of the background noise of being online. But you still have to defend against them all day, everyday, so it probably makes sense for someone else to do it for you. In the background, so to speak.

Sponsored by RcodeZero DNS.

More about


Send us news