DNS DDoS Attacks Have Doubled. What Does That Mean for Your Company?

DDoS attacks continue to pose a significant risk to the stability and availability of online services. As soon as one threat vector is thwarted, another springs up.

One of these vectors is DNS attacks — malicious DDoS traffic carried through UDP Port 53: Domain Name Service. The 2023 Corero Threat Intelligence Report has revealed a 100% increase in this type of attack since 2020.

Today, we’ll discuss the rise of DNS DDoS attacks, including why this vector is so serious and what several of its main subtypes are. We’ll also explore a DDoS solution for companies to protect themselves from malicious DDoS traffic.

What are DNS DDoS attacks?

The Domain Name System (DNS) plays a vital role in translating human-readable names into IP addresses and supports widely used internet applications like email, web navigation, content distribution platforms, security services, and more. DNS DDoS attacks pose a significant threat to this core internet infrastructure, since disrupting the DNS effectively disrupts the majority of online communication.

In our previous post about DDoS attacks on the UDP and TCP protocols, we explained that our threat research team has identified a significant portion of malicious UDP DDoS traffic (29%) directed at UDP Port 53: DNS. By analyzing this same traffic for directed DNS attacks, we found that it is growing at a significant rate. According to our analysis, DNS attacks in 2022 showed a 100% increase over the previous two-year period.

One of the challenges in mitigating these attacks is that they often resemble legitimate DNS traffic, making it difficult to distinguish malicious activity from real user requests. They’re also on the rise: In one study conducted between November 2020 and March 2022, researchers found that millions of domains, comprising up to 5% of the DNS namespace, experienced DDoS attacks. Although most attacks did not cause significant harm to DNS performance, some instances resulted in a staggering 100-fold increase in DNS resolution time or complete unreachability.

One of the most famous DNS DDoS attacks was the 2016 attack on the DNS provider Dyn by the Mirai botnet. The attack caused major disruptions to internet services in Europe and North America, including the websites of Airbnb, Amazon, PayPal, Reddit, Spotify, and numerous news organizations. It was accomplished with maliciously targeted TCP and UDP traffic over port 53 — specifically, numerous DNS lookup requests from tens of millions of IP addresses.

What are the top DNS DDoS vectors?

Although there are many possible DNS DDoS vectors, we have observed that the threats typically fall into several categories, including:

DNS NX (nonexistent) subdomain lookups
DNS water torture (e.g. random subdomain)
DNS query floods (direct or via resolvers)

Below, we’ll explore each of these four DNS vectors in detail.

DNS NX (nonexistent) subdomain lookups

An NXDOMAIN attack is a type of DNS Flood Attack in which an excessive amount of DNS lookup requests are directed towards nonexistent domain and subdomain names. These domain names are usually generated randomly and are highly unlikely to exist (e.g. adsf83s8ds.example.com). The lookup requests are forwarded to the authoritative DNS server responsible for the domain name, attempting to exhaust its resources. When the attacks come from thousands of sources at the same time, as with a botnet, the server becomes unable to respond to legitimate requests, and the website or service becomes unavailable.

DNS water torture

In a DNS water torture attack, the attacker employs a botnet to generate a massive volume of DNS requests for fictitious subdomains directed at an authoritative name server (ANS). If the ANS does not reply because it’s busy responding to other queries or because it’s crashed, the DNS server attempts to contact the next ANS, and the next, and so on.

Much like NXDOMAIN attacks, water torture requests target nonexistent subdomains or hosts in order to consume the memory and processing resources of the primary resolver. DNS water torture can involve thousands or even millions of DNS requests for fake domains, and they can also overwhelm intermediary DNS resolvers in the network in addition to their primary target.

DNS query floods

Like the previous two types of DNS DDoS attacks, DNS query floods begin with a high volume of queries for nonexistent subdomains. These subdomains are randomly created based on a legitimate domain (e.g., <random-nonexistent>.www.legitimate-domain.com).

As ISP resolvers attempt to resolve the requests but find nothing about the fictitious subdomains in their cache, more and more requests flood in. The result is that the legitimate domain — the attackers’ main target — is overwhelmed. However, this method incidentally degrades the ISP resolvers as well.

Shutting down DNS DDoS attacks

Like most DDoS attacks, DNS attacks can be mitigated with a robust cybersecurity strategy and the right DDoS protection solution. This strategy should include measures like regular monitoring of network traffic, ensuring the integrity and security of DNS servers, and employing strong access controls to prevent unauthorized access.

Additionally, organizations should invest in a reliable DDoS mitigation and protection solution that can detect and mitigate DNS flood attacks. The ideal solution should be capable of identifying and filtering out malicious DNS requests while allowing legitimate traffic to flow smoothly.

Find out more about how our modular DDoS protection platform can help protect your organization by scheduling time to speak with an expert today..