Cloud Chronicles, Part 2: DNS DDoS Attack Prevention & Defense
Security may not be the first thought when considering how a DNS solution will fit into your environment. After all, it’s often referred to as “the phonebook of the internet” and how often are phonebooks and security mentioned in the same sentence? DNS is a bit unassuming, even if it is basically the backbone of daily internet interactions. Perhaps because of this ubiquity, DNS services are also frequently the target of distributed denial-of-service (DDoS) attacks. And as the complexity and frequency of these attacks escalate, so do the demands that come with defending this cornerstone of internet infrastructure.
DNS DDoS Attacks: A rose by any other name would still disrupt traffic
What is there to say about DNS DDoS attacks that hasn’t been said already? They come in multiple flavors and range in size from “inconvenient” to “break the internet,” or at least a corner of it. “DDoS” is an umbrella term that encompasses myriad types of service-denying network and application attacks that find their way into legitimate application traffic. Here are four of the more common large-scale attacks:
DNS Amplification and Reflection Attacks turn the DNS itself into a weapon, exploiting the open nature of DNS servers to amplify the attack traffic—much like shouting into a canyon and using the echo to amplify the sound.
NXDOMAIN Attacks flood a server with requests for non-existent domains, creating an insidious cacophony of "wrong numbers" that bog down the service.
Random Subdomain Attacks throw a curveball by requesting a vast array of nonexistent subdomains, confounding DNS resolvers.
DNS Floods inundate a server or servers with legitimate-looking traffic, attempting to overwhelm a system through sheer volume.
DNS Floods, Subdomain, NXDOMAIN, and Amplification and Reflection attacks—however they show up, they all seek to use excessive or irregular traffic to disrupt legitimate users’ access to business-critical apps. They’re not always launched in isolation, either. Indeed, DNS DDoS attacks can also serve as smokescreens to mask other malicious activity. Considering the existence of these attack types in the context of proliferating digital transformations, a growing prevalence of IoT devices, and the expansion of 5G network access, bad actors can now leverage more tech and more internet connections than ever to realize their nefarious goals against DNS services. What to do?
Multi-vectored attacks, multi-vectored security
Positioning DNS as the application delivery starting point in an environment really does call on teams to consider it as a starting point for security as well, even if a DNS service isn’t typically thought of as a security solution in a traditional sense.
It helps to think about security in the context of three related functions: scalability, high availability, and malicious traffic management. These functions all take a hands-on role in interacting with traffic, ensuring that the right traffic gets to where it needs to be, without obstruction.
Scalability: Consider an infrastructure that’s built to automatically scale up in response to surging traffic demands, giving the teams who maintain the service a head start on DDoS attack detection. It can ensure that even during a volumetric attack, legitimate users can still resolve their DNS queries with minimal interference, like having a bridge that can add lanes during rush hour traffic to prevent congestion. A DNS services’ ability to scale also means that a sudden wave of traffic—malicious or otherwise—won’t overwhelm backend resources to the point of incapacitation.
High Availability: Add another dimension to the notion of scalability, especially in the context of DNS security, and you’ll realize the need for a DNS service that will deliver uninterrupted resolutions during an attack that may knock a resource offline. If that service benefits from points of presence (PoPs) around the world, that network of servers can provide intelligent traffic management by delivering seamless failovers to designated resources, enabling access for users, and preventing attackers from identifying and exploiting a single point of failure. The other flavor of this solution is to pair a cloud-based DNS service with an on-premises DNS service, deploying the two as a kind of dynamic, DDoS-fighting duo that can split the load between them or position one DNS service as a backup to the other.
Malicious Traffic Management: Beyond scalability and high availability, a DNS service should also employ advanced malicious traffic management capabilities. By leveraging real-time analytics and threat intelligence, such a service can help administrators identify and address malicious traffic before it can cause harm. Imagine if you will, a water filter that can differentiate between a stream of clean water and one that's been tainted, allowing only clean water through. Allowing only “clean” traffic through the network frees up resources by detecting malicious traffic preemptively and then dropping it before it can reach its victim destination, preventing that destination from having to handle junk packets and paving the way for improved app availability.
These security methods triangulate on the problem of mitigating bad traffic. They grow, they divert, they drop. They also provide coverage for each other in areas where one individual method may be lacking. High availability, for instance, doesn’t necessarily mean high scalability (and vice versa). Deploying an app delivery strategy that combines all three, however, can quickly provide a strong line of defense against malicious traffic floods.
In practice, achieving robust application delivery in the face of challenges like DDoS attacks often involves combining strategies and technologies, such as intelligent traffic management, distributed architectures, and automated failover mechanisms. F5 Distributed Cloud DNS can be the first step in developing this kind of environment for your distributed apps.
If you want to learn more about how, contact us.