Keeping DNS Networks Secure at a Challenging Time
December 18, 2020
Companies need advanced protection amid rising DDoS attacks
By Michael Zuckerman, Consulting Senior Product Marketing Manager, Infoblox

In 2020, DDoS attacks continued to increase both in volume and in frequency. Nexusguard Research just reported a 542% increase in DDoS attacks in the first quarter of 2020 when compared with the last quarter of 2019. The NexusGuard research team also detected unusual traffic patterns from ISPs, including traffic generated by infected devices.
In rare harmony, Kaspersky also reported that DDoS attacks doubled in the first quarter of 2020 when compared to the last quarter of 2019. Kaspersky also found that DDoS cyberattacks have been increasing in duration – the average attack duration increased by 24% in the first quarter of 2020 compared with the same quarter one year ago.
DNS and DDoS attack vectors have emerged as one of the critical weapons of choice to support fraud, extortion, and malicious attack. Threat actors may be politically motivated, part of organized crime, or even nation-state cyber warfare operatives.
****************************************************************
Avoiding Disruptions by DNS-Based Attacks
With Infoblox Advanced DNS Protection (ADP), your business is always up and running, even under a DNS-based attack. To learn more, download the datasheet: Infoblox Advanced DNS Protection
****************************************************************
The COVID-19 pandemic was the genesis of this new opportunity as the disease continues to impact businesses and economies worldwide. The net result is that 2020 has become the year of the teleworker. The use of online services from home and other remote locations became more critical than ever. Students are online. Employees are serving customers online. Many of us are working from home and highly dependent on Internet connectivity. The mix of devices we use often includes our laptops and mobile devices. Threat actors have moved with lightning speed to leverage this opportunity.
And just when one thinks it can’t get worse, it does. DDoS for hire (otherwise known as “booter” services) allows threat actors to access thousands of preconfigured servers that can be used to launch DDoS assaults against any organization. Booters are web-based services that provide criminal DDoS services for hire. These tools are often referred to in polite conversation as IP stressors, which are legitimately used to test your networks and servers for resiliency. Certainly, stress-testing your own network is normal. But deploying such technology to create a DDoS attack against external parties is illegal and malicious criminal activity. The great majority of these servers are hijacked, and malicious activity is usually completely unknown to their owners.
As one would expect, booters are sold on the dark web using untraceable currencies such as Bitcoin. As quickly as the FBI and other law enforcement agencies can find them and shut them down, new ones still seem to spring up. The number of these servers for sale at times looks quite large, with many tens of thousands of hijacked servers accessible at meager cost for a motivated attacker.
The DDoS attacks launched by these threat actor booter sites take us back to basics. As always, the mix of readily usable attack techniques includes DNS amplification and DNS reflection. They may be used alone and in combination. An amplification attack is a technique used by threat actors where a small query can trigger a massive response. In this scenario, threat actors flood the server with short requests that require long responses, allowing a small compute resource to overload the targeted DNS server. The DNS server is so busy attempting to respond to all these malicious requests that it doesn’t have time to respond to legitimate ones, and network activity grinds to a halt.
The reflection attack vector sends queries that appear to come from the target of the attack. The huge volume of responses, which are amplified, are then sent to the target, effectively overwhelming it. In that scenario, the attacker sends a query to a recursive name server with a spoofed source IP address. The threat actor places the target (victim) IP address, instead of the real IP address, as the source IP address. The recursive name server retrieves the answer to the query from the authoritative name server and sends it to the target.
A sophisticated threat actor can combine the two techniques by spoofing the targets’ IP address and sending a carefully crafted query that will result in a large payload. This double punch can be an overwhelming DNS DDoS attack scenario. This allows the threat actor to attack two different targets at the same time easily.
In current times, a comprehensive and intelligent protection against DNS DDoS attacks should be an essential part of any enterprise cybersecurity architecture. Infoblox uses various techniques to detect and drop attacks like DNS amplification, DNS reflection, NXDOMAIN, and protocol anomalies to keep both external Internet-facing DNS servers and internal DNS servers running. While this helps partners to quickly step up the cybersecurity needs of their customers, it also helps organizations prepare in advance and keep their DNS network secured at a time when DDoS attacks are increasing at an alarming rate.
Michael Zuckerman is a seasoned B2B product marketing and marketing strategy consultant with experience in the cybersecurity and enterprise SaaS software markets. Zuckerman’s domain experience in cybersecurity over the past five years includes container security, moving target defense, network threat analysis (AI), sandbox, deception technology, continuous security validation, cloud access security brokers, AI based SIEM, secure collaborative governance, and related technology sets that include data loss prevention (DLP), user and entity behavior analytics (UEBA), and encryption.
In rare harmony, Kaspersky also reported that DDoS attacks doubled in the first quarter of 2020 when compared to the last quarter of 2019. Kaspersky also found that DDoS cyberattacks have been increasing in duration – the average attack duration increased by 24% in the first quarter of 2020 compared with the same quarter one year ago.
DNS and DDoS attack vectors have emerged as one of the critical weapons of choice to support fraud, extortion, and malicious attack. Threat actors may be politically motivated, part of organized crime, or even nation-state cyber warfare operatives.
****************************************************************
Avoiding Disruptions by DNS-Based Attacks
With Infoblox Advanced DNS Protection (ADP), your business is always up and running, even under a DNS-based attack. To learn more, download the datasheet: Infoblox Advanced DNS Protection
****************************************************************
The COVID-19 pandemic was the genesis of this new opportunity as the disease continues to impact businesses and economies worldwide. The net result is that 2020 has become the year of the teleworker. The use of online services from home and other remote locations became more critical than ever. Students are online. Employees are serving customers online. Many of us are working from home and highly dependent on Internet connectivity. The mix of devices we use often includes our laptops and mobile devices. Threat actors have moved with lightning speed to leverage this opportunity.
And just when one thinks it can’t get worse, it does. DDoS for hire (otherwise known as “booter” services) allows threat actors to access thousands of preconfigured servers that can be used to launch DDoS assaults against any organization. Booters are web-based services that provide criminal DDoS services for hire. These tools are often referred to in polite conversation as IP stressors, which are legitimately used to test your networks and servers for resiliency. Certainly, stress-testing your own network is normal. But deploying such technology to create a DDoS attack against external parties is illegal and malicious criminal activity. The great majority of these servers are hijacked, and malicious activity is usually completely unknown to their owners.
As one would expect, booters are sold on the dark web using untraceable currencies such as Bitcoin. As quickly as the FBI and other law enforcement agencies can find them and shut them down, new ones still seem to spring up. The number of these servers for sale at times looks quite large, with many tens of thousands of hijacked servers accessible at meager cost for a motivated attacker.
The DDoS attacks launched by these threat actor booter sites take us back to basics. As always, the mix of readily usable attack techniques includes DNS amplification and DNS reflection. They may be used alone and in combination. An amplification attack is a technique used by threat actors where a small query can trigger a massive response. In this scenario, threat actors flood the server with short requests that require long responses, allowing a small compute resource to overload the targeted DNS server. The DNS server is so busy attempting to respond to all these malicious requests that it doesn’t have time to respond to legitimate ones, and network activity grinds to a halt.
The reflection attack vector sends queries that appear to come from the target of the attack. The huge volume of responses, which are amplified, are then sent to the target, effectively overwhelming it. In that scenario, the attacker sends a query to a recursive name server with a spoofed source IP address. The threat actor places the target (victim) IP address, instead of the real IP address, as the source IP address. The recursive name server retrieves the answer to the query from the authoritative name server and sends it to the target.
A sophisticated threat actor can combine the two techniques by spoofing the targets’ IP address and sending a carefully crafted query that will result in a large payload. This double punch can be an overwhelming DNS DDoS attack scenario. This allows the threat actor to attack two different targets at the same time easily.
In current times, a comprehensive and intelligent protection against DNS DDoS attacks should be an essential part of any enterprise cybersecurity architecture. Infoblox uses various techniques to detect and drop attacks like DNS amplification, DNS reflection, NXDOMAIN, and protocol anomalies to keep both external Internet-facing DNS servers and internal DNS servers running. While this helps partners to quickly step up the cybersecurity needs of their customers, it also helps organizations prepare in advance and keep their DNS network secured at a time when DDoS attacks are increasing at an alarming rate.
Michael Zuckerman is a seasoned B2B product marketing and marketing strategy consultant with experience in the cybersecurity and enterprise SaaS software markets. Zuckerman’s domain experience in cybersecurity over the past five years includes container security, moving target defense, network threat analysis (AI), sandbox, deception technology, continuous security validation, cloud access security brokers, AI based SIEM, secure collaborative governance, and related technology sets that include data loss prevention (DLP), user and entity behavior analytics (UEBA), and encryption.