Cyber attacks use different techniques to harm their targets. Depending on how strong the target’s defenses are, the power of the attack. Today we will talk about DNS flood, considered in the category of the dangerous DDoS attacks. Understanding how it works can be a good way to know how to defend against it.
What is a DDoS attack?
Distributed denial of service (DDoS) is an attack directed to disrupt targets by drowning them with traffic originated from multiple sources. Targets can be servers or networks.
Digging a little bit more into the name, everything gets clear. The word “distributed” is used to point that traffic for attacking is generated from many different devices. When the attack reaches its purpose, to shut down the target, the immediate consequence is a denial of service for users. Nobody will be able to access it.
There are different types of DDoS attacks, but we can say all have something in common. They are implemented by infecting massive amounts of devices connected to the Internet. Once infected, those devices become the “factories” of traffic that attackers will direct against the target. Considering how many devices are connected right now, you can calculate the scope such attacks can have around the world.
What is a botnet?
A botnet is a short way to refer robot network. It means a number of different devices infected with malware. All this network is controlled by an attacker, commonly point as bot-herder. While every computer, laptop, smartphone, tablet, IoT (Internet of Things) device is called a bot or zombie. All bots can be ordered by a single attacker to execute criminal activities simultaneously. From sending spam, stealing data, accessing devices and their connections, to DDoS attacks.
Attackers can change instructions (commands) for bots remotely, and they will behave accordingly.
What is a DNS flood?
DNS flood is a kind of distributed denial of service attack. It floods with traffic, specific DNS servers of a domain for disrupting its DNS (domain name system) resolution.
Let’s remember that DNS servers have the database that concentrates DNS information for domains (domains and their associated IP addresses). Whenever users request a domain, a search of exactly that DNS information is needed for reaching the domain. Without that information, no request could be attended appropriately.
DNS flood attacks can totally affect web applications, application programming interfaces (APIs), websites… and their capacity to attend legit traffic.
There’s a big issue that makes it hard to detect a DNS flood attack. The massive traffic sent to drown the target could be seen as a normal spike. The reason is, no matter the loads are big, they will be coming from different sources with unique locations, and they will query for DNS domain’s real records, impersonating regular traffic.
By the time you realize it is malicious traffic, your system can be already sluggish and its resources exhausted.
DNS flood attacks have increased paralleled with the growth of the Internet of Things (IoT). DNS floods take advantage of the high bandwidth connections of such devices (voice controllers, security cameras, smart coffee machines, televisions, fridges, ovens, lights, trackers, watches, alarm clocks, air quality monitors, smoke detectors, speakers, thermometers, routers, etc.). A high bandwidth connection can execute tasks like downloading quicker than a low-bandwidth connection. That allows those zombies to efficiently obey commands and make quick changes, even on the fly.
Targets will hardly handle such traffic. Eventually, they will drown.
DNS floods are a severe threat. Improving security can prevent them. Know very well your traffic to distinguish a normal from an abnormal one. Use bot detector tools and DDoS protection. Have a large and distributed DNS system for monitoring traffic and blocking the attacks in real-time. This seems like a worthy defense.