Attacks on the Domain Name System (DNS) on the Rise

Brian Wood Blog

According to data from Prolexic, a large and trusted distributed denial of service (DDoS) protection and mitigation service provider, attacks against the domain name system (DNS) are increasing. In 2013 alone, there was a 200 percent rise in attacks from the previous year and another 58 percent rise in DDoS attacks.

What exactly are these “attacks” and what’s causing them? Perhaps more importantly, how can you ensure the safety of your data?

DNS amplification attacks are powerful DDoS reflection attacks that have a relatively long history (in the short history of the internet). Current attacks can be quite strong, can slow down internet access, and can cause significant damage to the intended target.

Financially, the impact of a DNS attack is huge. For example, an outage lasting just 24 hours from a DDoS attack on government agencies, technological companies, and financial services is estimated to cost a combined $27 million.

DDoS reflection attacks, which target network bandwidth, use routers or servers to respond to requests, thus reflecting the attack traffic and hiding the attack sources (

DNS Attacks 1This figure shows the relationship between DDoS attacks on network bandwidth resources, connection resources, and computing resources (

Denial of service (DoS) attacks can be roughly classified into three types, based on their targets and layers:

  • Network layer: attacks on network bandwidth resources
  • Transmission layer: attacks on connection resources
  • Application layer: attacks on computing resources

NSFOCUS, another DDoS mitigation service provider, states that DNS attacks mainly occur at the network layer. In this scenario, the network interface bandwidth of a server or data packet processing capacity of internet infrastructure (e.g., a router, switch, etc.) has an “upper” limit. When the number of arriving or transiting network packets exceeds the upper limit, it can cause network congestion or a slow response.

DDoS attacks at the network layer send a large number of network packets by using widely distributed zombie hosts (“slave” computers), exhausting all bandwidth resources of the target so that normal requests will not receive timely and effective responses.

DNS Attacks 2

Architecture of a DDoS attack (

Virtually no one is exempt from security threats and while any business can become a target, enterprise-level businesses receive an average of 2 million DNS queries every single day. Because of this, the threat of attack is quite significant.

Countries with high internet usage are obviously more susceptible to attack, but they are also most likely to be the origin for the most DDoS attacks. The top five countries of origin (responsible) for the most DDoS attacks in 2013 include China, United States, Brazil, Russia, and France.

No one industry or business type appears to be specifically targeted for attack as noted by the following numbers: 21% business services, 17% media and entertainment, 13% financial services, 7% high-tech, and 5% public sector (State of the Internet/Akamai, 2013). Larger businesses have a higher likelihood of being attacked, probably because of the number of people that can be affected as well as the amounts of money that can be involved.

There are many different ways in which the DNS can be attacked and, of course, all have the potential to be very damaging. Here are the top 10 DNS attack types and what they do according to network control specialist Infoblox:

  • TCP/UDP/ICMP floods:
    • Flood victim’s network with large amounts of traffic
  • DNS amplification:
    • Use amplification in DNS reply to flood victim
  • DNS cache poisoning:
    • Corruption of a DNS cache
  • Protocol anomalies:
    • Malformed DNS packets causing server to crash
  • DNS tunneling:
    • Tunneling of another protocol through DNS cache database with a rogue address
  • DNS hijacking:
    • Subverting resolution of DNS queries to point to rogue DNS server
  • DNS based exploits:
    • Exploit vulnerabilities in DNS software
  • Reconnaissance:
    • Probe to get information on network environment
  • DNS reflection/DrDoS:
    • Use third-party DNS servers to propagate DDoS attack
  • Fragmentation:
    • Traffic with lots of small, out-of-order fragments

What does it mean? Simply put, safety and security are of the utmost importance no matter what size of business you are in, what type of organization you are a part of, or how important of a person you are.

Take the necessary precautions and increase your awareness while stepping up your security measures to ensure that your data is managed safely.