One of the many topics of focus during the initial technology boom was understanding how to efficiently get humans and machines to communicate. Machines typically do well with well-structured consistent characters such as numbers: think binary code. These don’t generally need translation. Humans, however, do better with familiar words or phrases. A good example of this is the old alphanumeric phone numbers from the 1950s and ’60s.
For example, on the “I Love Lucy” show, Lucy or Ricky gave out their phone number as “Murray Hill 5-9975.” The Ricardo’s MUrray Hill5-9975 meant their number was 685-9975 (“Hill” and its capital “H” served purely as a mnemonic), with the “68,” or “MU,” representing the east side of Manhattan’s telephone exchange. The Murray Hill part was to help callers remember the exchange, which was communicated to a human switchboard operator who translated it to the full number and connected them. This is still true to some degree with our cell phones. We do not remember numbers; we put them into our contact records. When we want to call or text someone, we type in their name and the phone does the rest.
This is precisely the purpose of the Domain Name System (DNS). This internet protocol acts like a telephone directory. But to understand how it works, it is essential to understand how internet users and browsers access websites. Browsers employ Internet Protocol (IP) addresses—distinctive combinations of numbers and dots that identify a network interface (telephone exchange). However, like the mnemonic device employed in the Murry Hill example above, people need something more unforgettable like a domain name (such as www.netscout.com) to enter into their browsers because they remember it from all the marketers saying, “Just type in netscout.com.” This is where the DNS comes in. It moves the domain name a user has entered into the domain name hierarchy of servers to translate and identify the IP address of that domain and get the user connected to the resource. Without this system, digital communications online would be almost impossible.
This DNS infrastructure is a critical part of your network, providing name resolution while also supporting countless other vital capabilities. The availability of DNS is key for anyone providing services or content across the internet; if their DNS infrastructure is unavailable or slow, then from a user’s perspective their connection may as well be down.
This is especially true for enterprises hosting their own private DNS infrastructure that responds to both internal and external DNS queries. As explained later in this piece, they are vulnerable to DNS water torture attacks.
According to findings in the NETSCOUT DDOS Threat Intelligence Report for the second half of 2022, DNS query flood (DNS water torture) attacks are one of the vectors of choice for today’s attacker. Many malicious users engage this vector to disrupt an organization’s communication.
In the world of human torture, water torture consisted of pouring drops of water on a person’s forehead for a period of time. The drops are purposely timed unequally so that the victim could not anticipate when the next one would hit. This impacted the victim’s mental capacity, eventually leading to a level of psychosis.
Digitally, instead of random water drops, attackers launch DNS water torture attacks (aka NXDOMAIN, DNS flood, DNS exhaustion attack) consisting of multiple random, nonexistent domains that are used to exhaust the DNS server infrastructure (for example, DNS resolver or authoritative name server). Understandably, the DNS server cannot find the IP address provided because it is nonexistent, so it submits recursive requests up the DNS chain until it reaches the authoritative server of the target domain.
Because the subdomain does not exist, the authoritative server sends back a “nonexistent domain” or “NXDOMAIN” response and puts an entry into its cache. The term “time to live” (TTL) describes the time that a DNS record is returned from the cache. In this context, TTL is a numerical value set in a DNS record on the authoritative domain name server for the domain. It defines the number of seconds that a cache server can provide its cached value for the record. When the defined number of seconds have passed since the last refresh, the caching server will reach out to the authoritative server again and receive the current—and possibly changed—value for the record. The same entry gets added to the DNS resolver. By employing a botnet, attackers can multiply the nonexistent domain requests, and ultimately the DNS server’s cache will fill with these NXDOMAIN entries, causing it to be unable to resolve legitimate DNS requests and essentially cutting off services to legitimate users and customers.
The Importance of Application-Layer Visibility
The best example of the impact a DNS failure can have is the Mirai attacks against Dyn in 2016. Dyn provided DNS services to several well-known internet brands, and when its services were hit, millions of users could no longer access their favorite services such as Netflix.
The water torture technique detailed above was employed in the Dyn attack, using a low-volume application-layer methodology. A botnet generated DNS queries for millions of random nonexistent hosts, which put a huge load on the DNS infrastructure and caused it to become unavailable for genuine user queries. Having the ability to quickly detect, analyze, and mitigate such application-layer threats to DNS infrastructure availability requires on-premises, always-on-edge protection.
How NETSCOUT Helps
To defend against distributed denial-of-service (DDoS) attacks targeting DNS services at the enterprise level, it is key to quickly detect any kind of DNS vector attack before it breaches your on-premises DNS infrastructure. This is especially true with application-layer attacks because they mimic legitimate traffic and are frequently under 1Gbps in volume. The research in NETSCOUT’s latest DDOS Threat Intelligence Report indicates that in general, 72 percent of all DDoS attacks that are under 1Gbps fall into a low-priority category for upstream DDoS protection providers and may go unmitigated because they are perceived to result in minor collateral damage, when in reality they can be exceptionally disruptive to small enterprises. This can also be true with on-premises security devices if not purpose-built to understand DNS attack methodology.
Additionally, these attacks have been encountered as a facet of the new dynamic multi-vector intrusions being employed to defeat defenses within the upstream and local security infrastructure. NETSCOUT provides Adaptive DDoS protection to effectively block dynamically changing DDoS attacks including those that may have evaded existing defenses with a repeating closed-loop analysis that employs a patent-pending machine learning-based algorithm to prepare recommendations and countermeasures that adapt defenses to efficiently stop these evolving DDoS attacks.
So, having on-premises, always-on, purpose-built DDoS protection with proven DNS mitigation capabilities on the edge of your network in front of local DNS servers augments DNS protection efforts and is required to stop these attacks.
By leveraging NETSCOUT’s technologies, expertise, and experience in protecting the worldwide DNS infrastructure, enterprises can count on having the internet “always on,” keeping customers and stakeholders connected.
Read more about protecting the DNS infrastructure here.