DNS Traffic Analysis Detects Hidden DDoS Attacks

New research has found a measurable increase in DNS cache miss traffic levels, and a number of previously unknown DDoS events.

According to Farsight Security, analysis of DNS cache miss traffic levels over the two-month period of March-April 2020 revealed “a macroscopic phenomenon.” The analysis was done over 300 domains for leading travel and transportation, retail, streaming video, higher education and news and partisan opinion sites.

Using its DNSDB intelligence solution, Farsight said that it looked at daily DNS transactions for over 300 sites and when reviewing traffic for these sites, it looked at the DNS cache miss traffic for all hostnames under a given delegation point. This revealed some websites experiencing spikes in volume, which Farsight stated represent denial of service (DDoS) attack traffic reflexively targeting unrelated third-party sites.

It said at least two distinct reflective DDoS attack patterns took place among the studied sites: one pattern type which appeared to be purely associated with abusive DNS SOA (Start of Authority) queries, and a second pattern type which melds abusive DNS SOA queries with abusive DNS TXT queries for wildcarded SPF redirect records.

Also some sites experienced spikes in volume that were so large that the spikes caused most of the “normal variation” in traffic volume to “wash out” due to the dominance of the spike or spikes.

Dr. Paul Vixie, chairman, CEO and co-founder of Farsight Security, said whilst headlines focused on a virus pandemic, most of the DNS traffic related to those headlines will be due to fraudulent or criminal activity by those hoping to cash in on the public's attention. “Therefore, it is worth our time to study DNS traffic patterns during every global event, to characterize current abuses of the system and to predict future abuses,” he said.

Farsight also discovered a step up pattern in traffic, typically reflecting a four-to-seven-times increase in DNS cache miss traffic levels, across most or all verticals during the same period.

To reduce the risk of DDoS events, Farsight recommended that nameserver vendors ship their products with Response Rate Limiting (RRL) enabled by default. Farsight also recommended all authoritative name server operators confirm that their current configurations have RRL enabled. 

What’s Hot on Infosecurity Magazine?