Two longtime Internet "white hats," Paul Vixie and Vernon Schryver, realized DDoS attacks that use authoritative name servers for amplification exhibit certain query patterns. In particular, attackers send name servers the same query from the same spoofed IP address (or address block) over and over, seeking maximum amplification. No well-behaved recursive name server would do that. It would have cached the response and not asked again until the time to live of the records in the response elapsed.
Vixie and Schryver came up with a clever mechanism, called Response Rate Limiting (RRL), which allows an authoritative name server to track how often it has sent the same response to the same querier. If that rate exceeds some configurable threshold, the name server will stop sending that response to the querier for a set period. If the querier stops peppering the authoritative name server with the same question, the authoritative name server will stop squelching that response. The upshot is that the authoritative name server will never send any response to a querier at a rate higher than the threshold, which makes it useless in a DDoS attack.
RRL was incorporated into BIND name servers in version 9.9.4, and a few other name server implementations now support it, including NSD and Knot. As folks upgrade their name servers to newer versions or new implementations that support RRL, this should gradually make it more difficult for attackers to use DNS infrastructure as amplifiers.
I hope this discussion has helped you understand how DNS infrastructure is both targeted and exploited in DDoS attacks, and how you can best resist DDoS attacks and ensure your name servers don't, unknown to you, participate in one.
New Tech Forum provides a means to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all enquiries to firstname.lastname@example.org.
This article, "The ultimate guide to preventing DNS-based DDoS attacks," was originally published at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.