DDoS Attacks on DNS Services

On October 21, 2016, DYN - a leading US-based DNS provider – was knocked offline by a major DDoS attack.

Download a Copy Now


Recently, DDoS attacks on DNS services happened on October 21, 2016, to DYN - a leading US-based DNS provider – and was knocked offline. Consequently, due to these DDoS attacks on DNS services the online services of many US based enterprises, including Amazon, Netflix, Twitter, and CNN, were completely unreachable (see Figure 1). There is no official confirmation yet to who the attackers were or their motivations.

Figure 1: Amazon status update from Dyn outage

The attackers leveraged several botnets against Dyn’s servers. This included Mirai, a botnet comprised of over 140,000 Internet of Things (IoT) devices, that was recently used against Brian Krebs and OVH in a record breaking 1.1Tbps DDoS attack. It is likely that Mirai was modified and a variant of it was used against Dyn.

This attack highlights of DDoS attacks on DNS services the lack of protection provided by traditional DDoS protection solutions that rely on rate-limit technology and underscores the need for behavioral-based DDoS protection to mitigate these types of cyber-attacks, such as those provided by Radware. Rate-based DDoS mitigation solutions will result in high percentages of false positives, resulting in legitimate users being blocked and frustrated customers.


Mirai was released in September 2016 and allows its users to infect IoT devices (by leveraging manufacturer’s default passwords). A command and control server connects to these devices via Telnet and transforms them into a botnet (specifically exploiting port 23, 2323 and 103). It is most likely that since then a number of attackers have modified and deployed the botnet for themselves.

One of the attack vectors in the Mirai botnet is commonly known as DNS Waterfall Torture. In Waterfall Torture, the victim is attacked via the assistance of a middle-man (a mediator server). The bot sends a query to a recursive DNS server to resolve a random host in a domain that the end-target is authoritative. The recursive DNS server takes that hostname, does not find it in its cache since it is random, and forwards it the target. The target receives millions of queries to resolve from the real DNS server (the recursive ones) and cannot track the request back to a bot. Once the attacker ties up all of the DNS’s resources, legitimate clients are unable to resolve their request. As mentioned, these types of DDoS attacks on DNS services are a very sophisticated attack that bypasses rate-limiting DDoS mitigation solutions.

Reasons for Concern

Although it is very difficult to find unique traffic patterns when it comes from a real DNS server (as it appears legitimate), a smart traffic monitoring mechanism, if deployed at the recursive servers, could have intercepted the DDoS attacks on DNS services as they would be able to identify the illegitimate bot traffic. Behavioral-based detection could have minimized the impact of the attack, if not blocked it altogether.

In addition, using a secondary DNS provider for high availability could have minimized the impact of the attack (see Figure 2). A large number of Internet clients leverage only one DNS provider for both their primary and secondary DNS. Companies that did not use a redundant DNS server suffered a complete outage and their users were unable to reach their website.

Figure 2: PayPal switches DNS during the Dyn Attack

Mirai and a number of other malware variants targeting IoT devices are leveraging default passwords to infect these devices. Attackers are scanning the internet looking for devices that ship with default credentials that are easily brute-forced. Attackers can quickly enlist over 100,000 devices in just a day due to aggressive scanning resulting in massive botnets that are always online.

How to Prepare for These Types of DDoS Attacks on DNS Services

  • The IoT brings cyber-attacks into the realm of 1Tbps size attacks and requires security and service providers to adjust their approach and be able to protect from these sophisticated, automated attacks.
  • Organizations should reevaluate today’s DDoS protection security paradigms, and more specifically, solutions that rely on traditional, rate-based detection methods.

Organizations under Attack Should Consider

  • Hybrid DDoS Protection (on-premise + cloud) – for real-time protection that also addresses high volume attacks and protects from pipe saturation.
  • Behavioral-Based Detection – to quickly and accurately identify and block anomalies while allowing legitimate traffic through.
  • Real-Time Signature Creation – to promptly protect from unknown threats and zero-day attacks.
  • A cyber-security emergency response plan that includes a dedicated emergency team of experts

Under Attack and in Need of Expert Emergency Assistance? Radware Can Help.

Radware offers a DDoS service to help respond to security emergencies, neutralize the risk and better safeguard operations before irreparable damages occur. If you’re under a DDoS attack or malware outbreak and in need of emergency anti DDoS protection assistance, Contact us with the code "Red Button".

Click here to download a copy of the ERT Threat Alert. Download Now