Introducing: Rule-Free DNS Infrastructure Protection


Threat Landscape

DNS infrastructure is critical, everybody knows that. Without an active DNS service, all your applications are down, no matter how hard you were trying to protect each of them. Unfortunately, the attackers know this as well, and are investing serious efforts to penetrate your DNS defense system and knock down your DNS infrastructure.

We have seen a staggering increase in DNS attacks/month, 4x more attack activity to be exact, from mid-2022 to end of 2023 in Radware’s Cloud DDoS protection services:

Figure1

Source: Radware Threat Analysis Report Q4 2023

We are seeing attacks affecting all verticals, but the most prominent attacks were attempted against the Finance, Telecom, Government, and Service Provider verticals.

The attack profiles vary from frequent attacks at 10s of thousands of queries per second (QPS), to more elaborate campaigns of 100s of thousands of QPS, to “all out” campaigns with millions of QPS.

Moreover, what we see is a mix of sophisticated attempts to bypass protections. We see a challenging vector mix, attempts to cloak attack sources beyond the obvious hiding behind spoofing, and we see attempts to trick protections using an ever-evolving set of attack tools.

Looking at this threat landscape, we decided to endeavor to a new level of protection, something that will be hard to bypass and answers the above challenges.

For too long, the cyberworld has lived under the thumb of the “Rules” Guild. But rules made us less safe and more vulnerable because attackers love rules more than anything. Rules are easy to break.

The world will be a safer place when we make up the rules as we go along – instantly readying our defenses depending on which attacker has targeted us. We call it Rule-free defense and our rule-breaking patents make that possible.

The Prominent Vectors

Water Torture (a.k.a. Pseudo-Random Subdomain or PRSD Attack)
Say an attacker is after your example.com domain that includes some legit subdomains like blog.example.com, support.example.com and products.example.com. Now instead of attacking those legit domains, the attacker will craft a random subdomain queries flood. For example: abcdefg1.example.com, wndgic12hg.example.com, and so on. Moreover, the attacker will send those queries through legitimate DNS resolvers and DNS cache servers that have never heard of these random subdomains, so those entries are not in the resolvers’ caches. Which will in turn send out those random subdomain queries to your authoritative servers. On your DNS server side, you get a flood of requests from a legitimate resolver that will choke your server trying helplessly to reply with NXDOMAIN to the flood of queries.

Figure2

“Dictionary” Query Flood
Here, the attackers deliberately go after your existing subdomains like blog.example.com and others. In this case, sending the request through the resolvers is not a good attack strategy as the revolvers will reply from the cache, so a direct attack is more likely. Attackers will probably spoof their source address by one of many techniques. Some may even try using non-spoofed sources just to bypass any anti-spoofing mechanisms. All this will leave your server busy answering a flood of requests that are not coming from legitimate users and may eventually render your DNS service unusable.

Figure3

Mitigating DNS Attacks – A Layered Approach

The vectors mentioned above can be sent to your DNS infrastructure either standalone, combined, alternating, in bursts and morphing.

Figure4

To protect against these vectors and their combinations, we have developed a concept of layered defense.

The first layer of defense is the layer that filters out the random subdomain “water torture” component. This can be done by having a list of the legit subdomains. This list is known as a “ZoneFile” from one of your DNS servers; it can be used to filter out any random requests. We compare, with optimized efficient hashing, any incoming request to this “Allowlist” of legit Fully Qualified Domain Names (FQDNs). If the request is not on the Allowlist, we drop the request. Even if you do not want to share the ZoneFile with the defense system, we already introduced, in 2017, an efficient learning mechanism that learns your “ZoneFile” from the traffic at peace time, so we have it here as well.

Assuming the first layer of defense cleared the water torture component, you are now left with a potential “dictionary” Query Flood component. The second layer of defense uses the Challenge/Response mechanism to verify if the source of the query is spoofed or not.

Spoofed sources will fail the challenge and will be discarded while real sources will be cached in the second layer of defense Allowlist and will no longer be challenged.

We are now left with attackers that have passed our challenge, meaning they behave like legit sources, but they still flood the system. On the face of it, it should be easy to just isolate those sources and block them. Unfortunately, if you just screen “top talker” source IP addresses, you are going to hit legitimate resolvers sending relatively large amounts of queries over to your servers. We regularly see 10% of traffic from resolvers, so just blocking top talker sources will impact legitimate queries, creating false positives and service impact. Given that, the third layer of defense requires a smarter way to block flooding requests without impacting legitimate resolvers. We have implemented a fast rule-free algorithm to do just that.

Additional Challenges to Tackle

The layers of defense approach make a lot of sense and is simple enough to be the core of the new DNS protection. But there are subtleties. As I mentioned, the attackers are not standing still and some of the protection techniques have been out there for a while, so attackers know how to circumvent them. Here are some of the points to note:

Auto Scoping
Oftentimes, a customer will have many domains one DNS system (such as “customer-one.com”, “customer-two.com”, and so on). When under attack, it’s critical to pinpoint which are the domains under attack, applying protection to the affected domain. This is called “Scoping”. The scoping decision should be made automatically, or otherwise a human operator will need to spend precious time trying to understand which domain is under attack, and while doing that, the attack impacts the domain.

We have implemented the Rule-free auto scoping algorithm into the escalation path of our protections, which provides very fast TTM (Time to Mitigate).

Allowlist Scale
Filtering a random subdomain “water torture” attack, requires knowing which are the legitimate FQDNs. The internal representation of this list of known FQDNs is the “Allowlist”. It is critical to be able to digest the full scale of all legitimate FQDNs or otherwise the system will block legitimate requests that were not included in the Allowlist, creating false positives. We have opted for an implementation with a very large, up to several million, FQDN (Fully Qualified Domain Names) scale. This is for both uploaded ZoneFiles and for the Auto Learned names.

Allowlist Anti-Poisoning
Learning the Allowlist from traffic has many advantages; it lets you dynamically learn the allowlist without the need of uploading ZoneFiles. Even if you do upload ZoneFiles, you can still activate the auto-learning to be on top of frequently changing zones. But auto-learning has a drawback, attackers can manipulate the traffic in such a way that the learning system will be tricked into learning fake names and pre-seed those for later attacks a.k.a. “poisoning”. It is important to protect the learning process with an anti-poisoning mechanism to make sure your learned allowlist is valid.

We have implemented a Rule-free anti-poisoning algorithm into our auto-learning capabilities.

Query Flood Real Time Signatures
Once a random subdomain has been filtered, the defense system needs to profile the query flood to attempt an as narrow-as-possible mitigation action. It is critical that this is done automatically. Using manual rules or Regular Expressions (RegEx) will leave the system exposed until a human operator identifies the pattern to block. This is very slow and prone to human mistakes. Attackers love rules, as they are easier to break! We are using Radware’s advanced, battle-proven AI behavioral mechanism to create signatures in real time and Rule-free.

Anti Spoofing
The “second layer of defense” clears all spoofed sources by a Challenge/Response (C/R) mechanism. We have seen competitors attempting to challenge servers by requesting the source to use the TCP form of the DNS protocol rather than using the more common UDP protocol. This works well in a lab environment, but in real-life, in many cases the DNS TCP port is blocked. We are avoiding that method.

Other Challenge/Response methods like Name Server (NS) challenges are also tricky because in many cases the returning address from the Challenge will not be the same as the initial request source, making it impossible to clear the source IP address.

We found a way to overcome those issues, and have a solid C/R mechanism, which is also Rule-free.

Non-Spoofed query flood blocking
Eventually, at the end of the layered defense, you need to filter out high frequency, repeating, legitimate looking sources that are not DNS resolvers. Those attacking sources have passed the challenge response filter. Manual identification is difficult and time consuming because you need to filter botnets that send traffic that looks completely real from legitimate requests. A common solution is to impose a manual rate limit on certain sources or FQDNs, but this is not good enough as it will inflict false positives. Usually, rate limits are prone to the expertise (or guesswork if you will) of those people who set them. Even if the rate limits were set correctly, rate limiting only prevents the server from falling over, but it does not filter out illegitimate requests and does drop legitimate requests in the process. We have implemented a high-capacity algorithm to identify and block non-spoofed attackers and still be able to automatically distinguish attackers from legitimate, high-rate sources like resolvers, and… of course… the algorithm is Rule-free.

Operations and Visibility
Given a Rule-free, fully automatic, layered defense system, it is only natural that we wanted to emphasis the automatic nature of the defense system. Apart from the wealth of peacetime and attack time information you would expect from a top-notch protection system, we designed a dashboard where you can see the mitigation steps and layered defense in action as it happens. All that is left for you to do is to sit back and enjoy the “show.” Hands off.

Figure5

Summary

Radware’s new AI-powered, Rule-free DNS DDoS Protection solution provides organizations with a multi-layered, adaptive protection from the most sophisticated DNS DDoS attack campaigns.

The solution provides:

Automated AI-powered Protection
Radware provides a multi-layered, adaptive solution powered by AI to learn normal patterns associated with protected DNS systems, identify anomalies, and generate accurate mitigation methods to counter DNS DDoS attack campaign.

Accurate Protection Against Any DNS DDoS Attack
Radware’s solution can accurately identify and mitigate all DNS DDoS threats or the combination of multiple vectors at once.

Rule-free Approach to Drive Lower TCO (Total Cost of Ownership)
The solution offers seamless configuration, management, and the handling of ongoing attacks in a fully automated, rule-free manner leading to a significantly lower cost to the organization.

Shortest MTTR (Mean Time-to-Resolve)
Radware’s DNS DDoS protection solution leverages patented algorithms to automatically detect, adapt, and block DNS attacks thereby dramatically shortening the overall TTM (Time to Mitigate).

If you are under constant DNS attacks and need more details on this Rule-free innovation loaded DNS defense system, visit us, at radware.com and ask for a meeting.

Further Reading
Please also review the following blogs for additional perspective on this topic:

DNS Security, A Never-Ending Story

A Look Inside the Attacker’s Toolkit: DNS DDoS Attacks

DNS Under Siege: Real-World DNS Flood Attacks

Tamir Ron

Tamir Ron is the Vice President of Products at Radware leading Cyber Defense DDoS and AppSec, as well as the ADC product management, for the past 7 years. He has 12 years of product management and product strategy experience, and over 20 years of technical experience as a CTO and Chief Architect, all involving internet technologies. Tamir is dedicated to advancing cybersecurity and empowering organizations to protect their digital assets.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center