Nominum Data Science detected a huge wave of malicious DNS queries rolling across the Internet Dec 14 and 15 2015, adding to stress for service providers already have around the holidays. Since it’s one of the peak buying seasons on the Internet most networks are locked down and operations teams are on alert. Many unfortunately were probably not expecting a huge surge in DNS DDoS as it has been fairly consistent the past few months. ThreatAvert customers were protected but many other networks likely experienced adverse impact – substantial slowdowns or even outages for servers that saw high volumes of queries.
These are the most powerful attacks yet observed using open home gateways spread across the Internet (numerous blog posts discuss this topic). Each attack lasted nearly the entire day, as shown below (times are UTC), with nearly 300 Million malicious queries per hour at the peak. Two domains were attacked on the 14th and one of the 15th. More than 300,000 home gateways were used over the two days.
At ~4.3 Billion DDoS related queries the attack on the 14th was about 2 ½ times larger than any previous attack that used open home gateways. The attack on te 15th will likely be even larger. These attacks are nearly as large as the largest attack last year (~5 Billion malicious queries) that used bot malware loaded on Internet “Things” such as home gateways, set top boxes and surveillance cameras (see Nominum press release earlier this year).
Nominum Data Science estimates it sees about 3% of ISP DNS resolution traffic so scaling malicious query volume to the entire Internet the actual level of malicious DNS traffic likely to exceeded 1.5 Trillion (33.3 X 4.6 Billion) each day. For one provider 45% of their total volume of queries were malicious, during the attack, for another it was about 25%, and a third saw about 20% malicious traffic. Since these queries are never cached they substantially stress ISP resolvers because their resolvers have to go out and get answers.
Servers hosting domains being attacked are typically stressed themselves – either answering slowly or not at all. This makes it even harder for resolvers to do their job – since they either need to wait longer to get answers, or try successive authorities until they find one that can respond. The graph below taken from one provider network shows SERVFAIL responses resulting from the attack. SERVFAILs are generated when resolvers can’t get answers from authorities. This is a good indication the authorities being attacked in this case were substantially disrupted.
DNS DDoS attacks have rapidly evolved for two years and the latest surge in activity validates the problem is not going away. The attacks happening today are disrupting resolvers and authorities worldwide. Nominum has a substantial lead protecting vital DNS resolvers in ISP networks, as well as the ultimate targets of-DNS based DDoS, authoritative servers and the web resources they support.
Nominum Data Science processes nearly 4TBytes of DNS data every day to identify and validate DDoS and other threats in minutes. Results of this research are published and continuously updated in Global Intelligence Xchange, a Nominum service, so provider networks always have the latest protections. Vantio Precision Policies offer fine-grained filtering and numerous policy actions (block, redirect, truncate, log and many more) to ensure legitimate queries are always answered and malicious traffic is blocked. These foundational capabilities have proven effective, consistently standing up against fast changing attacks, and continue to be enhanced as attacks evolve.