2014 saw numerous huge spikes in DDoS traffic – some as large as 5 billion queries per day across Nominum worldwide data set which covers around 3% of overall ISP DNS traffic. Extrapolating, this meant more than 150 Billion unwanted queries across the Internet on the peak days.
The large spikes are gone but 2015 maps the trend line established in 2014 with a little less than 1 Billion attack related queries per day – or an estimated 25 Billion across the Internet. This may not seem like a lot of DNS traffic but attacks typically only last a few hours per day, usually 6 to 8 hours, so the impact is magnified.
Looking at the data in a slightly different way for a typical resolver attack traffic makes up 11% of total traffic in 2015. Again attack queries are usually only sent over a few hours. And since very query requires recursion the impact is even greater – roughly speaking it takes 4-5 times more work for the server to recurse versus simply match against a cached entry.
The data in the chart above only shows random subdomain attacks, DNS amplification attacks are also happening on most days and make up about 15% of attack-related queries as shown in the pie chart below.
Open DNS proxies in home gateways still predominate as the key vector for DNS DDoS. Although Considerable progress has been in neutralizing their impact, there are now around 17 M gateways that appear in the open resolver project scan that occurs every week, down from 24 Million a little more than a year ago. It is less clear if the reduction in gateways is a result of software upgrades or replacement, or if incoming DNS queries are being filtered at the borders of the networks (see Blog Post: Deterring DNS Amplification: Considerations for Filtering at Network Borders).
Another observation from evaluating attack related data every data is a clear trend toward more stealthy attacks. Attackers appear to want to fly under the radar, sending enough traffic to bring down authorities and no more. This shows a certain amount of sophistication and restraint. Attacks using open home gateways also tend to be highly distributed – 1,000s of open resolvers and each only sending a few queries per second.
There are also distinctly different attacks using compromised Internet devices. These attacks only use a very small number of devices – literally tens of devices – however each device can sustain thousands of queries per second. Due to the additional workload imposed by the queries a few devices can have a devastating impact and easily bring down resolvers. Most providers have little control over the propagation of this malware. Instead they’re dependent on vendors properly securing their devices and end users changing default passwords where necessary. Bottom line there’s exposure; being prepared to deter attack traffic is prudent.