Quick Primer on DNS
Here’s a simplified breakdown of how Domain Name Service (DNS) works:
- DNS Query: When you type a website address into your browser, a computer sends a request (DNS query) to a nearby server called a recursive resolver. This legitimate query essentially asks, “What’s the IP address for this website name?”
- The Search: The recursive resolver acts like a switchboard operator, contacting authoritative name servers. These are specialized servers that hold the most trusted data (IP address) for a specific domain name.
- DNS Response: Once the authoritative server locates the IP address, it sends a response back to the recursive resolver.
- The Answer: The recursive resolver then relays this information (IP address) to your computer.
- Connection Established: Your computer now has the necessary address and can connect directly to the website.
How Does a DNS Flood Attack Work?
A DNS flood attack works by overwhelming DNS servers with a massive amount of fake website address requests.
- Normal Operation: When you try to access a website, your computer contacts a DNS server. The DNS server acts like a phone book, translating the domain name into its numerical address (source IP address) that your computer understands.
- The Attack Begins: Hackers bombard the DNS server with a huge volume of requests for nonexistent or invalid website addresses.
- System Overload: The DNS server gets overwhelmed trying to respond to all DNS requests. It’s like getting flooded with wrong phone numbers, making it difficult to find the real number you’re looking for.
- Impact: Because the server is busy processing junk, it can’t respond to legitimate requests for real website addresses. This results in website outages or slow loading times.
DNS flood attacks can be performed in various ways, but one of the most common threats is an Internet of Things (IoT) botnet. These collections of compromised IoT devices can be used to send massive amounts of traffic to a DNS resolver – knocking it offline if it lacks adequate anti-DDoS defenses.
Impacts of a DNS Flood Attack
Here are the most common impacts of a DNS flood attack:
| Impact |
Description |
| Website Outages |
Websites served by the targeted DNS server become inaccessible. Users encounter error messages or blank pages. |
| Slow Loading Times |
A flood of fake requests overwhelms servers, delaying the processing of legitimate requests and leading to slow website loading. |
| Disrupted Online Services |
Disrupts online services (email, online banking) that rely on the targeted DNS server. |
| Loss of Productivity and Revenue |
Website outages and slow loading times can lead to lost productivity and revenue for businesses. |
| Reputational Damage |
Attacks can damage a company’s reputation, affecting customer trust and confidence. |
DNS is a potential single point of failure in modern network infrastructure.
If an organization relies on one or a few DNS servers to resolve its domain name, then a DNS flood that takes these servers down can render the website inaccessible to users – leading to a potential financial loss. The most famous example of these types of attacks was an attack against Dyn in 2016, which caused outages on major sites, including Netflix, PayPal, and Twitter.
DNS Flood Attack Mitigation
DNS flood attacks are difficult to protect against since they target servers that must be publicly accessible with spam but also potentially legitimate traffic. Some methods that make these attacks difficult to perform or limit their effectiveness include:
- Overprovisioning Resources: Typically, DNS flood attacks are designed to consume network bandwidth or the computational capacity of DNS servers. While oversizing network bandwidth and servers won’t prevent an attack, it increases the volume of traffic that the attacker will need to generate and sustain to achieve their goals.
- Anycast DNS: Anycast networking sends traffic to the nearest of several computers using a particular IP address. With a globally distributed network of DNS servers using anycast networking, it is much more difficult for an attacker to generate the volume of traffic necessary to overwhelm all of an organization’s DNS infrastructure.
- DNS Caching: DNS caching saves copies of commonly accessed DNS records on a network of distributed servers. If a DNS request hits the cache, it isn’t forwarded to the DNS origin server, reducing the load on that server.
- Rate Limiting: DNS flood attacks try to overwhelm a DNS server with malicious traffic. Implementing rate limiting reduces the volume of traffic that a particular IP address can send to the server, which may decrease the impact of a DNS flood attack.
- Geographic Blocking: IoT botnets are generally distributed, so attack traffic may come from all over a particular region or from around the globe. If a service’s users are located in a particular region, blocking traffic from outside of that region may reduce the volume of attack traffic.
The best protection against DNS flood attacks is deploying DDoS mitigation solutions. These services can identify and filter DNS flood traffic, preventing a DNS server from being overwhelmed while enabling it to serve legitimate users.
How Check Point Mitigates DNS Flood Attacks
Protecting DNS infrastructure is essential to the proper functioning of the Internet. DNS flood attacks pose a significant risk to these systems due to their ability to overwhelm DNS servers with more traffic than they can handle.
Also, most solutions designed to mitigate these attacks only reduce their effectiveness, not block them entirely. The best way to protect against DNS floods and similar attacks is with a DDoS mitigation solution.
Check Point Quantum DDoS Protector offers robust protection against even the largest attacks, leveraging machine learning and AI to provide real-time attack detection and prevention for DDoS attacks up to 800 Gbps. Learn more about Quantum DDoS Protector’s capabilities and how it can reduce your organization’s exposure to DNS floods and other DDoS attacks with this datasheet.
Feedback