Analysis of DNS Server Denial of Service attacks from network disconnection events

Source: Internet
Author: User
Tags fortiguard

Event cause and Analysis

This event is a linkage event, mainly divided into two parts:

1. the DNS server of the dnspod site is attacked by DDoS attacks with over 10 Gbps traffic. It is suspected that it is a competition between private online game servers, as a result, a private server operator launched thousands of zombie hosts to launch DDoS flood attacks against dnspod, resulting in DNS server overload and line congestion.

2. A large number of violent audio and video files frequently initiate resolution requests to the telecom DNS master server. As a result, the primary DNS server of China Telecom is overloaded in various regions.

As a widely used software, storm audio and video are installed and used by thousands of users. However, its DNS resolution mechanism is flawed. Storm only deploys a DNS resolution site on the dnspod site. In addition, storm audio and video software frequently initiates queries to the DNS server of the carrier when the domain name cannot be resolved, the carrier DNS then queries the DNS server of stormwind in dnspod. This results in a large number of queries, which objectively constitute a DDoS attack on the telecom DNS server.

Due to the large number of violent audio and video users, the attack capability is several orders of magnitude higher than that of the botnet, resulting in overload of the primary DNS servers in multiple provinces and cities.

FortiGate IPS Countermeasure

As a core part of the Internet, DNS servers are vulnerable to attacks. To completely solve this problem, we must constantly improve the Internet security architecture, such as detecting and removing botnets, ensuring the security of each PC connected to the Internet, and establishing a fast dos tracing mechanism. However, the secure Internet architecture cannot be established overnight. Therefore, protection against DNS attacks has become an important security measure.

FortiGate IPs have different countermeasures for the above two reasons.

1. FortiGate IPS provides hardware-level defense capabilities for large-scale irregular DDoS attacks. It uses a dedicated acceleration chip to identify DDoS attacks and determine which attack packets and normal access traffic are used to block attack packets. In this way, the DNS server will not be overloaded by attacks.

FortiGate IPS can defend against DDoS attacks that exceed 0.1 million PPS per second.


Figure 1: Anti-DDoS configuration of FortiGate

2. for regular large-scale DDoS attacks, such as a large number of DNS queries on baofeng.com initiated by storm audio and video software, FortiGate can formulate corresponding detection rules to temporarily block queries containing the domain name baofeng.com, this prevents the DNS server from being overloaded.


Figure 2: FortiGate IPS features

Introduction to FortiGate IPS

1. Hybrid and multi-type AttacK Defense

Fortinet's full range of security products provide integrated and complete solutions, it can realize a wide range of attacks and malicious behaviors against mixed attacks, intrusion attempts, viruses, Trojans, worms, spyware, gray software, advertising software, and denial-of-service attacks. Fortinet uses a network-based ASIC-accelerated hardware platform and a series of Advanced Dynamic intrusion detection engines, which can reduce the overall cost of ownership, provides higher security and industry-leading performance for multiple attacks. These security engines are the award-winning fortiostm of foitinet. They can be deployed separately or integrated to provide comprehensive security solutions.

2. Global ips r & D team

the fortiguard IPS service is maintained by the fortinet global security expert team who responds within two hours after identifying a new attack. Fortinet security experts work with many attack detection organizations such as cert and sans to discover new vulnerabilities and write feature values, exception detection engines, and blocking methods, upgrade the user's FortiGate IPS system before the vulnerability becomes a threat. The Scalable Distributed Network of fortiguard allows you to upgrade all The FortiGate IPS systems in a matter of minutes.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.