What is DNS Flood Attack (DNS Flooding)

Table of Contents

What is DNS Flood Attack (DNS Flooding)?

  • Domain Name System (DNS) are the directories used to resolve between machine-readable addresses of websites (such as 191.168.0.1:80) and human-readable names (e.g. radware.com)
  • A DNS flood is a type of DDoS (distributed denial-of-service attack) when an attacker floods a particular domain’s DNS servers to disrupt resolution for that domain.

How does a DNS flood attack work?

  • Sending a massive number of DNS requests to a DNS server can consume its resources, resulting in a significantly slower response time for legitimate DNS requests.
  • By slowing down or disrupting DNS resolution, a DNS Flood attack will disable or degrade the performance of a website, API or web application's ability respond to legitimate traffic. How does a DNS flood attack work What is DNS Flood Attack (DNS Flooding)

How can a DNS Flood attack be mitigated?

  • Since DNS name resolution is used in normal internet communication, during heavy loads, DNS Flood attacks can be difficult to distinguish from normal heavy traffic especially if the floods have many unique sources.
  • Attackers exploit the DNS’ hierarchical infrastructure weaknesses and protocol vulnerabilities for mounting attacks against DNS services, targeting either recursive resolvers or authoritative servers. Many such attacks such as DNS amplification, DNS spoofing, Reflection, NXDomain and NXNSDomain are now common.
  • DNS Security Extensions (DNSSEC) were introduced in 2005 to preclude spoofing and man-in-the-middle attacks.
  • DNS over HTTPS or DoH was introduced to increase the privacy and security by preventing eavesdropping and manipulation of DNS data through man-in-the-middle attacks.
  • Although DNSSEC and DoH can help with authentication, privacy and integrity; however, they cannot protect from query floods, NXDomain and NXNSDomain attacks.
  • Securing the perimeter is key to protecting DNS infrastructure. You’ll need a security solution that can detect and mitigate an attack based on ingress requests only and prevent the bad queries from entering your DNS infrastructure to begin with. Not relying on a bi-directional response detection can also minimize impacts from bogus domain requests.
  • Since high-volume floods can consume resources of stateful devices you need a stateless DNS security solution.
  • Accurate attack filtering with minimal risk of false positives requires achieving a high detection accuracy between a good and a bad DNS request. Behavioral algorithms can detect statistical anomalies in DNS traffic and generate an accurate attack footprint based on a heuristic protocol information analysis to prevent and protect from DNS Flood attacks.

How Radware mitigates DNS Flood Attacks

Radware DDoS protection solutions mitigate DNS Flood attacks via behavioral-based protection. Protection is provided across all three phases of an attack: detection, characterization and mitigation.

During the detection phase, Radware monitors all inbound DNS traffic and learns the baseline of normal DNS traffic behavior using various logics and monitoring various baselines and parameters. During the characterization phase, Radware creates an automatic, real-time signature, which blocks the DNS attack without human intervention. Using samples of real-time traffic that deviates from the baseline traffic, Radware looks for characteristic parameters of the ongoing anomaly in the suspicious traffic. Lastly, during the mitigation phase, Radware utilizes the real-time signature to identify the DNS attack traffic and automatically stops the attack.

Related Articles

What Is a Web DDoS Tsunami Attack? A Web DDoS Tsunami attack is an evolved type of HTTP DDoS Flood cyberattack that is sophisticated, aggressive and very difficult to detect and mitigate without blocking legitimate traffic.
What Is A DDoS Attack? A distributed denial-of-service (DDoS) attack occurs when multiple machines are operating together to attack one target to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
ICMP Flood Attack Internet Control Message Protocol (ICMP) ping requests are used to check for connectivity and the health of networking devices.
TCP Flood Transmission Control Protocol (TCP) uses a three-way handshake between a sender and the receiver to establish a reliable TCP connection between them.
Amplification Attack Domain Name System (DNS) are the directories used to resolve between machine-readable addresses of websites (such as 191.168.0.1:80) and human-readable names (e.g. radware.com)
UDP Flood Attack User Datagram Protocol (UDP) is a connectionless, unreliable protocol used in computer networks.
White Papers

Protecting Critical DNS Infrastructure

Find out how Radware's AI-powered, rule-free proteciton stops even the most sophisticated DNS DDoS attacks.

Read more

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Contact Us Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
CyberPedia

Close

What are you looking for?