A DNS flood is a DDoS attack that aims to flood and overwhelm a target DNS server.
What is a DNS Flood?
Domain Name System (DNS) servers are the “phonebooks” of the Internet; they are the path through which Internet devices can look up specific web servers to access Internet content. A DNS flood is a distributed denial-of-service attack (DDoS) where an attacker floods a particular domain’s DNS servers to disrupt DNS resolution for that domain. If a user cannot find the phonebook, it cannot look up the address to call for a particular resource. A DNS flood attack will compromise a website, API, or web application’s ability to respond to legitimate traffic by disrupting DNS resolution. DNS flood attacks can be difficult to distinguish from regular heavy traffic because the large traffic volume often comes from many unique locations, querying for accurate records on the domain mimicking legitimate traffic.
How does a DNS flood attack work?
The function of the Domain Name System is to translate between easy-to-remember names (e.g., example.com) and hard-to-remember addresses of website servers (e.g., 192.168.0.1), so successfully attacking DNS infrastructure makes the Internet unusable for most people. DNS flood attacks constitute a relatively new type of DNS-based attack that has proliferated with the rise of high bandwidth Internet of Things (IoT) botnets like Mirai. DNS flood attacks use the high bandwidth connections of IP cameras, DVR boxes, and other IoT devices to overwhelm major providers’ DNS servers directly. The volume of requests from IoT devices overwhelms the DNS provider’s services and prevents legitimate users from accessing the provider’s DNS servers.
DNS flood attacks differ from DNS amplification attacks. Unlike DNS floods, DNS amplification attacks reflect and amplify traffic off unsecured DNS servers to hide the attack’s origin and increase its effectiveness. DNS amplification attacks use devices with more minor bandwidth connections to make numerous requests to unsecured DNS servers. The devices make many small requests for extensive DNS records, but when making the requests, the attacker forges the return address to be that of the intended victim. The amplification allows the attacker to take out larger targets with limited attack resources.
How can a DNS Flood attack be mitigated?
DNS floods represent a change from traditional amplification-based attack methods. With easily accessible high-bandwidth botnets, attackers can now target large organizations. Until compromised IoT devices can be updated or replaced, the only way to withstand this category of attacks is to use an extensive and highly distributed DNS system that can monitor, absorb, and block the attack traffic in real-time.