The Domain Name System (DNS) infrastructure is a critical part of your network, providing name resolution while also supporting countless other critical capabilities—for example, load balancing—that we take for granted. The availability of DNS is key for anyone providing services or content across the internet; if their DNS infrastructure is unavailable or slow, then from a user’s perspective, their connection may as well be down.
The best example of the impact a DNS failure can have is the Mirai attacks against DYN in 2016. DYN provides DNS services to several well-known internet brands, and when its services were hit, millions of users could no longer access their favorite services, such as Netflix.
The Importance of Application-Layer Visibility
A low-volume application-layer distributed denial-of-service (DDoS) technique known as “water torture” was used in the case above. A botnet generated DNS queries for millions of random hosts, which put a huge load on the DNS infrastructure and caused it to become unavailable for genuine user queries. Having the ability to quickly detect, analyze, and mitigate application-layer threats to DNS infrastructure availability requires visibility at layer 7.
DNS infrastructure can also be leveraged to generate large-scale volumetric attacks via the reflection/amplification technique. DNS reflection/amplification attacks historically have been some of the largest volumetric attacks seen across the internet. A DNS reflection/amplification attack involves an attacker’s botnet sending queries to a number of DNS servers, usually in the low thousands for a domain with multiple DNS records. This will result in a large response.
The “trick” is that the bots generate the DNS queries by using the source IP address of the intended DDoS victim. The DNS servers will innocently send their large volume of responses back to the victim, with traffic volume 10 to 100 times larger than that generated by the original botnet. Once the limits on bandwidth for the network, server, or application are attained, the circuit becomes unavailable. Being able to detect when local DNS infrastructure is being used in this way is important to avoid service slowdowns. Layer 7 visibility, as above, is required to meet this goal.
How NETSCOUT Helps
To defend against DDoS attacks targeting DNS services, it is key to quickly detect any kind of DNS vector attack—both application-layer and volumetric reflection/amplification types. To accomplish this, you need visibility and fast detection at layer 3/4 via NetFlow and at layer 7. Arbor Sightline with Sentinel is at the heart of the NETSCOUT Smart Visibility and protection solution. The use of NetFlow, Border Gateway Protocol (BGP), and Simple Network Management Protocol (SNMP) allows the system to detect within seconds any DNS volumetric attack such as the reflection/amplification type, giving infrastructure providers the means to react and defend in a real-time manner. With the addition of CyberStream, the Arbor Sightline with Sentinel system will consume and analyze NETSCOUT Smart Data, providing the layer 7 visibility to detect faster and more effectively any of the DNS application-layer DDoS vectors such as the water torture technique.
Our approach consists of combining different capabilities and systems that provide NETSCOUT with a distinctive positioning and competitive advantage, utilizing the capabilities in the network infrastructure to defend against DNS DDoS volumetric attack vectors via BGP Flowspec.
By leveraging NETSCOUT’s technologies, expertise, and experience in protecting the worldwide DNS infrastructure, service providers and enterprises can count on having the internet “always on,” keeping customers and stakeholders connected.
Read more about protecting the DNS infrastructure.