Understanding Attack Traffic Is Required for Building a DNS Protection Strategy

Understanding Attack Traffic is Required for Building DNS Protection

Last week my daughter lost her phone. Due to this unfortunate event, she also lost the ability to call or message anyone she knew on another device because she did not know anyone’s phone numbers. This is not unusual in today’s world: We rarely have to remember anyone’s phone number anymore, because it is stored in our phone’s contacts app. The contacts app is like a Domain Name System (DNS) system for your phone. It allows you to input a familiar name or moniker such as Dad, Mom, or Bestie, and it will provide the phone number to the matching phone or messaging app so you can reach your desired contact.

Your network’s DNS system operates similarly, because it helps navigate the network by allowing a user to enter a mostly human input such as NETSCOUT.com or NETSCOUT, and it will translate that into an IP address to move traffic through the network to the desired destination. Unfortunately, like a phone or contact app, if the DNS system is taken down or lost, users are unable to navigate the network and get to their desired destination—a situation that essentially looks to them as if the network is down.

DNS Attacks Are on the Rise

Based on a recent NETSCOUT DDoS Threat Intelligence Report, DNS water torture attacks have increased by 243 percent over four years—by 353 percent over the past year alone. A DNS water torture attack is a type of DNS query flood that sends DNS queries with random nonvalid host names and valid domain names. The sources of the attack can be direct-path bots, DNS amplifiers/reflectors, or ISP caching servers/cloud resolvers, each of which can increase the size and complexity of the attacks.

These attacks often use label prepending such as www.123.example.com in the query. They look as if they are legitimate and therefore are very difficult to detect. Their goal is to overwhelm the DNS servers with unresolved queries and bring down this critical service. In-line solutions in front of the DNS server have struggled because the solution either blocks legitimate source IPs, which causes collateral damage to legitimate users or is error-prone because it requires enterprises to manually import zone files.


The ideal solution would be able to analyze each DNS query to ensure it is coming from a legitimate source and if is not, to block the traffic that does not get validated.

DNS query filtering

NETSCOUT Arbor Edge Defense (AED) sits in line at the edge of your network and repeatedly inspects every DNS query and query response. Using this query response analysis, it continuously and automatically learns the valid names and adds them to a valid host name list.

AED detects DNS attacks based on an increase in NXDOMAIN or SERVFAIL entries in DNS query responses. During an attack, AED provides an effective and unique solution in multiple ways. First, it compares the host name in every query against the list of auto-learned valid host names while also identifying which zones are under attack. Second, if there is a match, the validated traffic is passed. If there’s a miss or an alert and if it’s in the zones that are under attack, AED blocks that traffic.

This type of system will protect your DNS infrastructure and ensure that it is available to move end-user traffic to its desired location.

Read more about protecting the DNS infrastructure here.