Because DNS is a critical to the network infrastructure, designed to be open and accessible, a DDoS attack can debilitate the entire network.
Now that we’ve done an overview of the most common attacks against DNS let’s take a closer look at each. We’ll start with DDoS, as it is the most commonly cited (and often misunderstood) threat to DNS security.
DDoS stands for “Distributed Denial of Service,” and simply means that attackers overload the target with faux traffic to cause a shutdown of services.
In these COVID-19-defined times, you may have experienced DoS yourself: if you’re a parent, the 207th time your children come up to you with questions you might not answer. The first 206 were nonsense queries. Surely this one is as well? Maybe not, but at this point, your kids have successfully executed a DoS attack on your attention.
DDoS is not suitable for sophisticated targeting or data theft. As a brute force technique, it’s simple and relies solely on its massive scale. As a consequence, while a service outage can be costly, the ramifications of a DDoS attack rarely go beyond that. (But of course, combining DDoS with other attack methods can complicate things.)
While DDoS isn’t specific to DNS, DNS is just as exposed to it.
DDoS can target any of the 7 levels of the OSI model. (Although the lower the layer, the more complex DDoS efforts become.) DNS is in Layer 7, as it’s an application (using the TCP/IP stack of Layer 4).
But because DNS is a critical part of the networking infrastructure, and inherently designed to be open and accessible by everyone, it’s a prime target for a DDoS attack -- and a successful attack can debilitate, through the DNS, the entire network.
The most common DDoS variants that target DNS are:
Flood attacks are the odd one out in the list, as they’re targeting Layer 4 (the transport mechanisms themselves) instead of DNS on Layer 7.
Simple: DDoS is simple, and thus “limited” in its damage.
All DDoS variants rely on brute force, but the aim is not to exploit vulnerabilities and thus gain access to valuable data or infrastructure, but to shut down services for everyone. (Including the attackers themselves.)
This limits its effectiveness substantially, as service outages can be managed and weathered. That said, large-scale or widespread DDoS attacks (like the 2016 Dyn cyberattack) can cost in the millions of dollars and impacts hundreds of thousands of connected devices.
Stupid: because it’s simple, DDoS requires very little initial investment (resources or sophistication) from the attackers.
DDoS attackers take advantage of the fact of the unbalanced nature of network communications. A query is easy and cheap to execute, but the response can be disproportionately more complicated and expensive.
Because of this, DDoS attackers rely on simple scripts (running on often unsuspecting machines called a botnet) to wreak the maximum amount of havoc with little to no risk of exposure.
Predictable: while exposure is low, and prevention is limited, we can mitigate the damage of DDoS.
With a cheap attack opportunity and a perpetually vulnerable target infrastructure, DDoS cannot be entirely prevented. DDoS is possible because there are physical and software-defined limits in IT.
But because the attack vectors for DDoS are locked and predictable, there are ways to mitigate or prevent the damage.
The attack vectors for DDoS are known. Inherent in the design and structure of networks, we cannot shut these vulnerabilities down. But we can strengthen and control them better.
DDoS prevention can take as many forms as there are attacks. As we’re focusing on DNS, we’re not covering security methods that exist on other layers, such as hardware.
DDoS attacks against DNS can be mitigated by setting up software-defined safeguards:
DDoS is dangerous, but as we saw, its impact is limited, and its damage can be mitigated. DNS cache poisoning, our next topic in this security series, can be much harder to detect — and can result in damage a lot deeper than a simple outage.
We’ll cover cache poisoning, and how to identify and prevent it, in our next post.