Ten simple methods to mitigate DNS-based DDoS attacks

Ten simple methods to mitigate DNS-based DDoS attacks

Researchers found that attackers often use UDP flood attacks (UDP floods) in massive bandwidth-based DDoS attacks (Distributed Denial of Service attacks ). Because UDP is a connectionless protocol, attackers can use scripts to generate UDP packets easily.


 
DNS mainly uses UDP protocol, but in some special cases, DNS also chooses to use TCP protocol according to the network environment. Attackers like to use the UDP/DNS protocol when launching distributed denial-of-service attacks on the target server.
As DNS is a very important network protocol, high availability is the most important consideration for network practitioners. To break the availability of the protocol, malicious attackers can send a large number of forged query requests to the DNS parser. It is worth noting that there are millions of open DNS servers on the Internet, many of which are home gateways. The DNS parser considers these forged query requests to be true and valid, and processes these requests. After the processing is complete, the DNS response information is returned to the request source. If the number of query requests is very large, the DNS server may send a large amount of DNS response information. This is what we often say about amplification attacks, because this method uses incorrect configurations in the DNS parser. If the DNS server is configured incorrectly, the DNS parser may return a large amount of payload to the target host after receiving a very small DNS query request. In another type of attacks, attackers can also initiate attacks by sending invalid query requests to the DNS server.
To this end, we will introduce ten very simple and practical methods in this article. You can use these methods to mitigate the impact of DNS flood attacks, so as to better protect the DNS infrastructure.
1. shield the DNS response information actively sent
A typical DNS exchange information is composed of request information. The DNS server sends the user's request information to the DNS server. After the DNS server processes the query request, the server returns the response information to the DNS server. However, it is worth noting that the response information will not be sent proactively.
Attackers need to deploy FortiDDoS before the request information arrives at the DNS parser. It can be used as an open DNS parser or as the query server for DNS query requests.
This is a device embedded in the network. It can process millions of query requests per second and record Query Information and corresponding response information in the memory table.
If the server generates the corresponding response information before receiving the query request, the server should directly discard the response information. This mechanism can effectively mitigate the impact of reflection attacks.


Ii. Discard fast retransmission data packets
Even if data packets are lost, no valid DNS Client will send the same DNS query request to the same DNS server at a short interval.
Therefore, if the sending frequency of the same query request sent from the same source address to the same target address is too high, the server must discard these request packets.


3. If the DNS server has successfully sent the response, the server should be prohibited from responding to the same query request information within a short interval-enable TTL
If a valid DNS client receives a response, it will not send the same query request again.
If the TTL of a data packet expires, the system caches each response.
When attackers use a large number of query requests to attack the DNS server, we can block unwanted data packets.


4. Discard DNS query request and response data from unknown sources
Generally, attackers use scripts to launch distributed denial of service (DDoS) attacks on the target, and these scripts are usually targeted at vulnerabilities in software. Therefore, if we can deploy a simple anonymous detection mechanism on the server, we can limit the number of packets passed into the server.


5. If you have never seen such DNS requests before, Please discard this packet immediately
This type of request information may be sent by a forged proxy server, or due to a client configuration error, it may also be the request information that developers use for debugging. However, we should know that this may also be sent by attackers. In either case, such data packets should be discarded directly.
Create a whitelist to add valid request information that can be processed by the server.
The whitelist can block illegal query request information and data packets that have never been seen before.
This method can effectively protect your server from flooding attacks.
In addition, this method ensures that valid domain name servers only process and respond to valid DNS query requests.


6. Ask the DNS client to confirm its validity
Identity forgery/spoofing is a common technology in DNS attacks.
If the server can ask the DNS client to present the corresponding credential and prove its legitimacy, the server can avoid receiving flood data packets.

FortiDDoS also uses this anti-spoofing technology.
7. cache response information to prevent DNS server downtime caused by Overload
The FortiDDoS product is embedded with a high-performance DNS Cache tool, coupled with hardware logic processing, which can process millions of DNS query requests per second.
If the response information corresponding to a query request already exists in the DNS cache of the server, the cache can directly process the request. This effectively prevents server downtime due to overload.
8. Use ACLs
Sometimes, you may not want the server to process certain information in the query request. However, we can easily block this information in other ways. For example, if you do not want an external IP address to send a query request, you can directly discard such request packets.
9. Use ACLs, BCP38, and IP address validity to filter query requests
Every enterprise that has set up a DNS server should limit the number of creden。 of its users.
When the server receives a counterfeit attack packet, you only need to set a simple filter to prevent the attack vectors from various regions around the world from attacking the server.
In another case, some spoofed data packets may be sent by the address inside the network. BCP38 can be used to filter data packets. It can also prevent the server from receiving data packets sent from unknown source addresses.
If the service provider also provides the DNS resolution service for the customer, the provider can use BCP38 to prevent the server from receiving attack packets from the customer or internal address.


10. Provide excessive available bandwidth
If the DNS traffic to be processed by the server reaches X Gbps, make sure that the service bandwidth you provide does not exceed a certain range. If the bandwidth you provide exceeds what the server needs, attackers may launch flooding attacks on your server.
Summary
In this article, we provide you with ten simple methods that can effectively help you mitigate DNS-based DDoS attacks, and ensure that the services you provide can meet the customer's needs.