Analysis of DNS Server Denial of Service attacks from network disconnection events

Event cause and Analysis

This event is a linkage event, mainly divided into two parts:

1. the DNS server of the dnspod site is attacked by DDoS attacks with over 10 Gbps traffic. It is suspected that it is a competition between private online game servers, as a result, a private server operator launched thousands of zombie hosts to launch DDoS flood attacks against dnspod, resulting in DNS server overload and line congestion.

2. A large number of violent audio and video files frequently initiate resolution requests to the telecom DNS master server. As a result, the primary DNS server of China Telecom is overloaded in various regions.

As a widely used software, storm audio and video are installed and used by thousands of users. However, its DNS resolution mechanism is flawed. Storm only deploys a DNS resolution site on the dnspod site. In addition, storm audio and video software frequently initiates queries to the DNS server of the carrier when the domain name cannot be resolved, the carrier DNS then queries the DNS server of stormwind in dnspod. This results in a large number of queries, which objectively constitute a DDoS attack on the telecom DNS server.

Due to the large number of violent audio and video users, the attack capability is several orders of magnitude higher than that of the botnet, resulting in overload of the primary DNS servers in multiple provinces and cities.

FortiGate IPS Countermeasure

As a core part of the Internet, DNS servers are vulnerable to attacks. To completely solve this problem, we must constantly improve the Internet security architecture, such as detecting and removing botnets, ensuring the security of each PC connected to the Internet, and establishing a fast dos tracing mechanism. However, the secure Internet architecture cannot be established overnight. Therefore, protection against DNS attacks has become an important security measure.

FortiGate IPs have different countermeasures for the above two reasons.

1. FortiGate IPS provides hardware-level defense capabilities for large-scale irregular DDoS attacks. It uses a dedicated acceleration chip to identify DDoS attacks and determine which attack packets and normal access traffic are used to block attack packets. In this way, the DNS server will not be overloaded by attacks.

FortiGate IPS can defend against DDoS attacks that exceed 0.1 million PPS per second.

Figure 1: Anti-DDoS configuration of FortiGate

2. for regular large-scale DDoS attacks, such as a large number of DNS queries on baofeng.com initiated by storm audio and video software, FortiGate can formulate corresponding detection rules to temporarily block queries containing the domain name baofeng.com, this prevents the DNS server from being overloaded.

Figure 2: FortiGate IPS features

Introduction to FortiGate IPS

1. Hybrid and multi-type AttacK Defense

Fortinet's full range of security products provide integrated and complete solutions, it can realize a wide range of attacks and malicious behaviors against mixed attacks, intrusion attempts, viruses, Trojans, worms, spyware, gray software, advertising software, and denial-of-service attacks. Fortinet uses a network-based ASIC-accelerated hardware platform and a series of Advanced Dynamic intrusion detection engines, which can reduce the overall cost of ownership, provides higher security and industry-leading performance for multiple attacks. These security engines are the award-winning fortiostm of foitinet. They can be deployed separately or integrated to provide comprehensive security solutions.

2. Global ips r & D team

the fortiguard IPS service is maintained by the fortinet global security expert team who responds within two hours after identifying a new attack. Fortinet security experts work with many attack detection organizations such as cert and sans to discover new vulnerabilities and write feature values, exception detection engines, and blocking methods, upgrade the user's FortiGate IPS system before the vulnerability becomes a threat. The Scalable Distributed Network of fortiguard allows you to upgrade all The FortiGate IPS systems in a matter of minutes.