Recent press has shown a marked increase in DDoS attacks on ISPs around the world. According to Network World, DDoS attackers seem to have switched their attention from banks to gaming hosts, ISPs and even enterprises. At Infoblox our customers have been telling us the same thing, as DDoS attacks have intensified among our ISP customers. Initially everything was lumped together under the ‘DDoS’ heading. Then they became known as ‘NXDomain’ attacks, but as we sifted through the PCAP files of the actual attacks across different customers in different regions, a number of unique patterns emerged.  

ISPs are especially sensitive about DDoS attacks. Not only are these attacks extremely disruptive to the business – they consume time and effort to understand and mitigate – but they can also affect the ISP’s brand reputation if attacks continue and degrade the user experience. Like every service provider they want to avoid costly customer churn. And DNS is critical to the customer experience – if DNS is slow, the customer will undoubtedly notice.

Let’s take a look at six new attack types and how each one works:

1.     Basic NXDomain Attack

The attacker sends a flood of queries to a DNS server to resolve a non-existent domain (NXDomain). The recursive server tries to locate this non-existent domain by carrying out multiple domain name queries but does not find it. In the process, its cache is filled up with NXDomain results.

What is the impact?  

When the DNS caching server’s cache is full, users experience slower DNS server response time for legitimate DNS requests. The DNS server also spends valuable resources as it keeps trying to repeat the recursive query to get a resolution result.

2.     Random Sub-domain attacks on Legitimate Domains

The attacker tries to exhaust the number of outstanding concurrent DNS queries by flooding the DNS server with requests for multiple non-existent domains - that he creates using randomly generated domain strings. For example: xy4433.yahoo.com aj323bc.yahoo.com etc.

What is the impact?

The responses never come back from these non-existing domains and the DNS server, as before, spends compute resources waiting for the responses. The attacker thinks he is attacking the domain usda.gov but he is in fact impacting the infrastructure of his ISP – so the impact is doubled:

1)     The recursive DNS server has an upper limit on the number of outstanding DNS queries. The flood of randomly generated queries rapidly exhausts this limit.

2)     The authoritative DNS server of the target domain is subjected to a denial of service attack

3.     Phantom Domain Attacks

In these attacks, the DNS resolver is forced to resolve multiple domains that are “Phantom” domains that have been setup as part of the attack. These domains do not send responses, causing the server to consume resources while waiting for responses, eventually leading to degraded performance or failure.

What is the impact?

The DNS resolver waits for responses - that never arrive - from these phantom domains. This consumes resources leading to degraded performance or failure.

4. Lock-Up Domain Attacks

Resolvers and domains are setup by attackers to establish TCP-based connections with DNS resolvers that request a response. These domains don’t send the correct response expected by the DNS resolver but instead keep them engaged with random packets. They are also deliberately slow in responding to requests from the DNS resolvers and keep the DNS resolvers “tied-up” or “hanging”. Advanced attacks also involve adaptive techniques to keep the DNS resolver “coming back” to check for responses. These domains might send a SERVFAIL at the end.

What is the impact?

The DNS resolver establishing these connections with the misbehaving domains exhausts its resources.

5. CPE-driven DDoS attacks in the ISP network

There are open DNS recursors or DNS proxies on customer premise equipment (CPE) devices. A significant proportion of the open DNS recursors utilized for DNS reflection or amplification attacks are CPE devices. Some devices ship with a local, caching-only DNS server or DNS proxies open to the world. Users enable port-forwarding to open DNS recursors on their home networks.

What is the impact?

Exhaustion of ISP DNS resources or slow servers.

6. DDoS attacks using Malware-infected CPE devices

Akamai's Prolexic Security Engineering and Research Team (PLXsert) is tracking the spread of Spike, a new malware toolkit that poses a threat to embedded devices, as well as Linux and Windows systems.

From the advisory:

Binary payloads from this toolkit are dropped and executed after the successful compromise of targeted devices, which may include PCs, servers, routers, Internet of Things (IoT) devices (i.e., smart thermostat systems and washer/dryers) and home-based customer premise equipment (CPE) routing devices.

The toolkit has multiple DDoS payloads, including SYN flood, UDP flood, DNS query flood, and GET floods.

What is the impact?

The malware-infected CPE devices effectively form a new botnet, enabling the botnet controller to generate DDoS traffic on demand against selected targets.

Conclusion

While no single mitigation approach is bullet proof – and the vendor community is working hard to help customers as much as possible - it is clear that the latest spate of DDoS attacks is targeting DNS as a key vulnerability. DNS-based attacks can be either the heavy flood variety such as DNS reflection and amplification attacks, which typically grab the headlines, or they can be low-volume stealth attacks that evade traditional flood detection defenses.  We are working with our ISP customers and their enterprise customers to help them protect their DNS infrastructure and discuss the best ways to address these new DNS-centric DDoS attacks. We will continue to share what we learn in future blog postings.