Table of Contents
- Domain Name System (DNS) are the directories used to resolve between machine-readable addresses of websites (such as 191.168.0.1:80) and human-readable names (e.g. radware.com)
- A DNS flood is a type of DDoS (distributed denial-of-service attack) when an attacker floods a particular domain’s DNS servers to disrupt resolution for that domain.
- Sending a massive number of DNS requests to a DNS server can consume its resources, resulting in a significantly slower response time for legitimate DNS requests.
- By slowing down or disrupting DNS resolution, a DNS Flood attack will disable or degrade the performance of a website, API or web application's ability respond to legitimate traffic.
/Picture-1.png.aspx)
/Picture-2.png.aspx)
- Since DNS name resolution is used in normal internet communication, during heavy loads, DNS Flood attacks can be difficult to distinguish from normal heavy traffic especially if the floods have many unique sources.
- Attackers exploit the DNS’ hierarchical infrastructure weaknesses and protocol vulnerabilities for mounting attacks against DNS services, targeting either recursive resolvers or authoritative servers. Many such attacks such as DNS amplification, DNS spoofing, Reflection, NXDomain and NXNSDomain are now common.
- DNS Security Extensions (DNSSEC) were introduced in 2005 to preclude spoofing and man-in-the-middle attacks.
- DNS over HTTPS or DoH was introduced to increase the privacy and security by preventing eavesdropping and manipulation of DNS data through man-in-the-middle attacks.
- Although DNSSEC and DoH can help with authentication, privacy and integrity; however, they cannot protect from query floods, NXDomain and NXNSDomain attacks.
- Securing the perimeter is key to protecting DNS infrastructure. You’ll need a security solution that can detect and mitigate an attack based on ingress requests only and prevent the bad queries from entering your DNS infrastructure to begin with. Not relying on a bi-directional response detection can also minimize impacts from bogus domain requests.
- Since high-volume floods can consume resources of stateful devices you need a stateless DNS security solution.
- Accurate attack filtering with minimal risk of false positives requires achieving a high detection accuracy between a good and a bad DNS request. Behavioral algorithms can detect statistical anomalies in DNS traffic and generate an accurate attack footprint based on a heuristic protocol information analysis to prevent and protect from DNS Flood attacks.
Radware DDoS protection solutions mitigate DNS Flood attacks via behavioral-based protection. Protection is provided across all three phases of an attack: detection, characterization and mitigation.
During the detection phase, Radware monitors all inbound DNS traffic and learns the baseline of normal DNS traffic behavior using various logics and monitoring various baselines and parameters. During the characterization phase, Radware creates an automatic, real-time signature, which blocks the DNS attack without human intervention. Using samples of real-time traffic that deviates from the baseline traffic, Radware looks for characteristic parameters of the ongoing anomaly in the suspicious traffic. Lastly, during the mitigation phase, Radware utilizes the real-time signature to identify the DNS attack traffic and automatically stops the attack.