What is a DNS Water Torture Attack?
In an NXDOMAIN, or DNS Water Torture DDoS attack, the attacker overwhelms the Domain Name System (DNS) server with a large volume of requests for non-existent or invalid records. In most cases, these state exhaustion DDoS attacks will be handled by a DNS Proxy server, which will then use up most, if not all, of its resources querying the DNS Authoritative server with these records. This will, in most cases, result in both the DNS Proxy server and the DNS Authoritative server using up all their time handling those bad requests, slowing response for legitimate requests and eventually, stopping responses all together. This is precisely what happened when DYN, a major DNS provider in USA, attacked in October 2016.
What is the meaning of NXDOMAIN?
NXDOMAIN means that the domain is non-existent, providing a DNS error message that is received by the client (Recursive DNS server). This happens when the domain has been requested but cannot be resolved to a valid IP address. All in all, NXDOMAIN error messages simply mean that the domain does not exist.
What Are the Signs of a DNS Water Torture DDoS Attack?
A DNS Proxy server under a DNS Water Torture attack will constantly send invalid requests to the respective DNS Authoritative server. As these requests are invalid, the Authoritative server will respond with a NXDOMAIN error response, which will be passed back to the client. As the volume of invalid requests increases, the Authoritative server will quickly slow down, resulting in legitimate requests not getting a response. The legitimate clients will then retry the requests, increasing the load even further on both the Proxy server and the Authoritative server.
The signs of such a DDoS attack are a high CPU load on the DNS servers, and a high rate of NXDOMAIN replies being generated.
Why is a DNS Water Torture Attack Dangerous?
A DNS Water Torture attack is dangerous because it can be difficult to detect. Many DNS server administrators misidentify the slowdown as a performance problem when in actuality it is a NXDOMAIN attack on their DNS server.
How to Mitigate and Prevent a DNS NXDOMAIN Flood DDoS Attack
Conducting regular DNS audits is crucial for mitigating such attacks. Monitoring DNS servers and traffic, can deter malicious attacks against the network.
Additional steps include:
- Automatically blackhole suspect domains and servers
- Implement DNS Response Rate Limiting
- Examine the behavior of a client. If a client generates a high rate of NXDOMAIN, NXRRset, or SRVFAIL responses, block requests from that client’s IP address for a configurable period of time.
- Be sure that cache refresh takes place, ensuring continuous service
- Lower the timeout for recursive name lookup to free up resources in the DNS resolver, thus preventing simultaneous outstanding DNS queries from maxing out
- Increase the TTL on existing records as this will ensure records are kept longer in external DNS caches, making it less likely that those records will have to be updated
- Apply rate limiting on traffic to overwhelmed servers