Get in Touch

DNS: A common target of massive DDoS attacks

by on February 25, 2020 in Digital Marketing, Latest News, Lead story, News you can use, Nuggets

DNS: A common target of massive DDoS attacks

The Domain Name System (DNS) is one of the core building blocks of the Internet. However, it is also commonly used by cybercriminals for malicious purposes. Protecting against misuse of DNS requires organizations to deploy data security and DDoS prevention solutions.

A Quick Introduction to DNS

DNS is a crucial component of the Internet. Typically, Internet users prefer to type a domain name (like into their address bar to visit a website. However, their computer needs an IP address to reach the destination computer hosting that particular website.

DNS serves as a global address book for the Internet. A hierarchy of DNS servers enables a user’s computer to determine the IP address of any website on the Internet with just a few requests. Since DNS is so powerful and so necessary to the proper functioning of the Internet, most organizations allow it to flow freely through their networks. While this is a major asset in some ways, it also means that DNS is a perfect protocol for cybercriminals to use in their attacks.

Cybercriminals and DNS

A recent report reveals that governments around the world lose millions of dollars every year to DNS-related cybercrime, and they are far from the only organizations affected by misuse of DNS. The DNS system is a common target of DDoS attacks, is often used to enable DDoS attacks, and is occasionally used for data exfiltration.

  • DDoS Attacks on DNS Servers

The fact that DNS is essential to the Internet means that it is a prime target for DDoS attacks. If an attacker can deprive an organization of access to external DNS servers, then they cannot access most of the Internet since their computers cannot translate domain names into the appropriate IP addresses.

Conversely, an organization’s entire web presence can be taken down by an attack that targets their internal DNS server.

The survey of global governments revealed that DDoS attacks against DNS were a common threat across the board. Over half of respondents (51%) lost access to internal applications due to an attack on DNS servers. 43% of them experienced loss of access to cloud-based resources.

As organizations increasingly move to the cloud, the loss of access to even a single CSP through DNS-targeted DDoS attacks can have global impacts.

  • DDoS Attacks Enabled by DNS

Unfortunately, the relationship between DNS and DDoS attacks is not limited to DNS being a target of these attacks. The use of DNS as an enabler of DDoS attacks is increasingly common, with this attack vector experiencing a nearly 4800% growth year over year in 2019.

DNS is used by DDoS attackers in a technique called DDoS amplification. In a DDoS amplification attack, the attacker sends requests to a service where the response length is much greater than the request length. Since these requests are sent while spoofing the sender’s IP address to that of the target, these much larger responses are sent to the target machine. As a result, an attacker can send a small volume of request data but force the target to receive and process a much greater amount of data.

DNS is a commonly used DDoS amplifier for two main reasons. First, it is commonly permitted through network boundaries (since it is a vital protocol in the Internet), ensuring that amplifier services are readily available, and targets will not filter out attack traffic at the border.

Secondly, DNS traffic is a great amplifier, with the potential for responses much larger than the corresponding requests. Since DNS records are under the control of the domain owner, DDoS attackers can build custom domains for DDoS attacks. As a result, DNS amplification is a powerful weapon for DDoS attackers.

  • DNS-Enabled Data Exfiltration

Most organizations have “default allow” policies for DNS traffic at their network perimeter. Beyond being helpful for DDoS amplification, these policies also make DNS useful for another malicious application: data exfiltration.

Once an attacker has gained access to sensitive data on an organization’s network, they need a means of moving that data out of the organization’s network. This requires a network protocol that they can control and that is not blocked at the organization’s network perimeter.

DNS meets both of these requirements, and the government survey supports this use. Almost a fifth (19%) of survey respondents reported that they experienced the theft of intellectual property (IP) or other sensitive data via DNS traffic.

Protecting Against DNS-Related Attacks

DNS is essential to the functioning of the Internet. Without it, computers would not be able to translate user-provided domain names into machine-usable IP addresses. As a result, simply blocking DNS traffic at the network perimeter is not an option.

However, DNS traffic is used in cyberattacks in a variety of different ways. Cybercriminals may target DNS servers during DDoS attacks, use DNS to amplify the effects of DDoS attacks against other targets, or use DNS traffic as a carrier for sensitive data being exfiltrated from an organization’s network.

Since blocking DNS traffic entirely is not a viable security strategy, preventing these attacks requires organizations to thwart attacks at a different point in their lifecycle. Deploying a strong DDoS prevention solution can help to protect an organization’s DNS servers against attack, while behavioral monitoring may help to prevent these servers from being misused as DDoS amplifiers.

By deploying strong data security protections, organizations can ensure that cybercriminals cannot access sensitive data in the first place, let alone exfiltrate it over DNS.


Print article