Analyzing a DNS server denial of service attack _dns server from a network-breaking event

Event Causes and analysis

This incident is a linkage event, mainly divided into two parts:

1, the Dnspod site's DNS server by more than 10Gbps traffic DDoS attack the suspect because it is the competition between the network game between the business, causing a server operators launched thousands of zombie hosts to Dnspod launched a DDoS flood attack, Causes the DNS server to overload and the line to jam.

2, Storm audio and video of a large number of frequent to the telecommunications DNS primary server to initiate the resolution. Causes the regional telecommunications primary DNS servers to overload.

Storm audio and video as a widely used software, there are thousands of users installed to use. However, its DNS resolution mechanism is flawed. Storm company only in Dnspod station deployed a DNS resolution site, while the Storm audio and video software in the event of unresolved domain name will be a lot of frequent to the operator's DNS server to initiate inquiries, operators DNS again to be located in the Dnspod within the Storm company DNS server query, not fruit. This leads to a large number of queries, which objectively constitute a DDoS attack on the telecom DNS server.

As a result of the Storm audio and video users very much, its ability to attack a number of zombie network several orders of magnitude, resulting in multiple provincial and municipal telecommunications DNS master server overload.

FortiGate IPs countermeasures

As a core part of the Internet, the DNS server is vulnerable to attack, to solve this problem, only constantly improve the Internet security architecture itself, such as detection and removal of botnet, secure every PC connected to the Internet security, the establishment of rapid DOS traceability mechanism. However, the security of the Internet architecture is not built overnight, so the attack on DNS protection is an important security measure.

For the reasons of the above two parts, fortigate IPs have different countermeasures respectively.

1, for the irregular large-scale DDoS attack, the FortiGate IPs has the hardware level defense ability. It uses a special speed chip to identify DDoS attacks, you can determine which is the attack packets, those are normal access traffic, so that the normal access to pass the traffic and block the attack packets. This allows the DNS server to not be overloaded by an attack.

The FortiGate IPs has an anti DDoS attack capability of more than 100,000 PPS per second.

Figure I: FortiGate anti-DDoS configuration

2, for the regular large-scale DDoS attacks, such as the Storm audio and video software launched by the baofeng.com of a large number of DNS queries, fortigate can develop the corresponding detection rules, temporarily blocking the query containing baofeng.com domain names, so that the DNS server will not overload.

Figure II: FortiGate IPs features

Introduction to FortiGate IPs features

1. Hybrid, multi-type attack defense

Fortinet's full range of security offerings can provide an integrated, complete solution that enables a wide range of attacks and malicious behavior, including mixed attacks, intrusion attempts, viruses, trojans, worms, spyware, grey software, adware, and denial-of-service attacks. Fortinet uses a network-based ASIC-accelerated hardware platform and a series of advanced dynamic intrusion detection engines to achieve higher levels of security and industry-leading performance for multiple attacks at a lower total cost of ownership. These security engines are foitinet-or award-winning fortiostm that can be deployed individually or integrated together to provide a comprehensive security solution.

2, the global IPs research and development team

Fortiguard IPs services are maintained by a team of fortinet global security experts who respond within two hours of identifying a new attack. Fortinet security experts collaborate with many attack detection organizations like Cert and Sans to discover new vulnerabilities, write eigenvalues, anomaly detection engines, and blocking methods to upgrade the user's FortiGate IPs system before the vulnerability becomes a threat. Fortiguard's scalable distributed network can drive upgrades to all fortigate IPs systems in a matter of minutes.