Recently, the Health Sector Cybersecurity Coordination Center, or HC3, which serves as the focal point for cybersecurity between the US Department of Health and Human Services and the Healthcare and Public Health sector, released an alert warning about attackers launching Distributed Denial of Service (DDoS) attacks.
These attacks are flooding networks and DNS servers with DNS requests for web sites and applications that do not exist, which result in a flood of NXDOMAIN responses from authoritative DNS servers. (For more information, see: https://www.hhs.gov/sites/default/files/dns-nxdomain-attacks-sector-alert.pdf)
How DDoS attacks against DNS work.
The attacks are an effort to overwhelm authoritative DNS servers with junk requests so that they would be unable to respond to legitimate queries for their application. This is, in effect, a type of DDoS attack against DNS servers. This is a new spin on an old tactic that is over 20 years old. These attacks involve a malicious actor trying to render an application unavailable by preventing its DNS server from telling you how to get to it.
As you probably know, computers, smartphones, and Internet of Things (IoT) devices can’t route traffic directly to a web site like https://vercara.com just based on its name. They need to route requests to an Internet Protocol or IP address. As humans are not great at remembering long strings of digits, DNS became the way to translate website names that people could remember to IP addresses that computers and the internet could use. DNS has been compared to the old telephone white pages where you could look up the phone number for a person if you knew their name.
In the mid-2000s, malicious actors that didn’t agree with the narrative of various news organizations came up with a novel way to keep the opinion of these organizations off the internet, at least for a little while. These malicious actors flooded the organization’s DNS servers with requests for their web server IP addresses and ping flood attacks to overwhelm the capacity of the DNS server to respond to them. So, when people that wanted to go to ACME Corp’s website entered in their web browser, their web browser responded with a message that the website couldn’t be found.
These actors didn’t just apply these attacks to news websites, but also providers like Microsoft and even the internet root DNS servers, the DNS servers at the heart of the internet, attempting to disrupt access to all applications. Luckily, the attack against the root DNS servers, while significant, didn’t succeed due to the resilience of the DNS system.
This began a new era where businesses needed to start deploying ever more resilient DNS servers that could withstand large-scale malicious attacks.
Being one of the first cloud DNS platforms, UltraDNS needed to figure out how to protect our customers and the platform itself from DNS flood and other types of Denial-of-Service attacks that make customer services unavailable.
We developed a combination of protections, including name server segmentation, which limits the number of customers on any one name server, and a DDoS mitigation service that protected the platform from a wide variety of DDoS attacks. We got so good at protecting UltraDNS that we used our experience with mitigating DDoS attacks to spin off a service called UltraDDoS Protect. This service protects our customer’s infrastructure from DDoS attacks including the UltraDNS and the new UltraDNS2 networks.
Every UltraDNS customer’s DNS service is protected by the purpose-built 16 node, 15 Tbps+ UltraDDoS Protect network. It’s been a good investment for us. We recently mitigated a 700 Mbps attack against UltraDNS without any impact on our customers. You can read more about this at The Outage that Never Was. More recently, one of our customers came under a withering DNS enumeration attack. A DNS enumeration attack is an attack where malicious actors script DNS queries for random host names like server12.bamboo.com and hope to find an IP address in an organization they can scan and exploit.
On an average day, the attacked customer usually saw between 1 and 2 million DNS requests per day. However, from February 13-16 of this year, the customer saw over 4 billion requests per day, peaking at over 10 billion requests on February 14th.
On top of this, the attacker queried between 2 and 3.7 billion unique hostnames on these days, further attempting to stress the DNS servers and bypass any caching that might have been done by recursive DNS servers. This was among the first of an emerging DDoS attack vector where large numbers of DNS queries are sourced from very large numbers of source IP addresses in an attempt to overwhelm DNS servers.
While these are huge numbers for this one customer, this was not a significant event for the UltraDNS platform. UltraDNS regularly processes over 120 billion authoritative requests a day. It was unusual that this one customer saw a high single-digit percentage of overall traffic volume on UltraDNS; however, our solution handled it easily.
UltraDNS’ 29 node and UltraDNS2’s 18 node anycast networks process queries closest to where they originate, automatically distributing the load. Name server segmentation, an infrastructure capable of handling almost 9 trillion authoritative requests daily, and the DDoS attack protection provided by UltraDDoS Protect make UltraDNS a platform capable of repelling these attacks.
Take your DNS management to the next level with UltraDNS.
If you’re ready to simplify your DNS management and enhance your protection, be sure to check out our product page!
