[Dr.WoW] [No.16] DNS Flood Attack and Defense Highlighted

Latest reply: May 28, 2015 08:34:10 3250 1 0 0
Before we move to application-layer attacks, let's take a look at some real attack cases.

In the evening of May 19 2009, the recursive domain name services in six provinces of China were compromised due to excessive DNS requests, and domain name services in other provinces were also interrupted, causing network outage for a long time.

Let's play back the attack. In the evening of May 19, some attackers attacked the DNS server (DNSPod) that provided DNS service for private servers of other game websites. The attack traffic exceeded 10 Gbit/s, which crashed DNSPod. However, DNSPod also provided DNS services for the servers of the Storm player.

The Storm player has a process that automatically starts during the startup of clients and automatically connects to the Storm servers to download advertisements or software updates. After DNSPod was crashed, the domain names of Storm servers could not be resolved, but the process of the Storm player automatically attempted to connect to the servers. As a result, the Storm clients accidentally became zombies that continuously sent DNS requests to local DNS servers. The DNS traffic exceeded 30 Gbit/s and caused the DNS flood.

Then, the police started to investigate the attack and busted the attackers on May 29. The investigation showed that the attackers were operators of some private game servers. The attackers had rented servers to attack other private game servers or websites for illegal gains.

This attack case demonstrates the severe impacts of application-layer attacks. These attacks interrupt our lives and must be prevented. Now let's talk about DNS flood attack and defense.

1 Attack Mechanism

Let's start with the mechanism of the DNS protocol. When we surf the Internet, we enter domain names of websites we want to visit. The domain names are resolved into IP addresses by DNS servers. As shown in Figure 1-1, when we visit www.huawei.com, the client will send a DNS request to the local DNS server. If the local DNS server stores the mapping between the domain name and IP address, it sends the IP address to the client.

If the local DNS server cannot find the IP address, the server will send a request to the upper-level DNS server. After the upper-level DNS server finds out the IP address, it sends the IP address to the local DNS server, which in turn, sends the IP address to the client. To reduce the DNS traffic on the Internet, the local DNS server caches the domain name-IP address mappings so that the local DNS server does not need to request upper-level DNS servers to honor the requests of hosts.

Figure 1-1 DNS process

[Dr.WoW] [No.16] DNS Flood Attack and Defense-1324699-1 

DNS flood is to send a DNS server a large number of requests for the IP addresses of domain names that do not exist to crash the DNS server and make it unable to handle legitimate DNS requests. In the above-mentioned attack case, the DNS server (DNSPod) was crashed and unable to resolve domain names of Storm servers, but tens of thousands of Storm clients continuously sent DNS requests to local DNS servers, causing the DNS flood.

2 Defense Measure

DNS supports TCP and UDP. Usually, UDP is used because the connectionless protocol is fast. UDP also has a smaller overhead than TCP, reducing the resource consumption on DNS servers.

However, in some cases, you must configure DNS servers to instruct clients to use TCP to send requests. In this situation, when the DNS server receives a request from a client, the server replies with a message with the TC flag being set to 1, indicating that the client must use TCP to send the request.

This mechanism can be used by firewalls to verify whether the source of DNS requests is real to prevent DNS flood attacks.

As shown in Figure 1-2, the firewall collects statistics on DNS requests. If the number of DNS requests destined to a destination reaches the preset threshold during a specified period of time, the DNS source authentication is triggered.

After DNS source authentication is enabled, the firewall responds to the DNS requests on behalf of the DNS server, with the TC flag of DNS replies being set to 1. This flag instructs the client to use TCP to send the DNS requests. If the firewall does not receive a TCP DNS request from the client, the firewall considers the client false. If the firewall receives a TCP DNS request, the firewall considers the client real. Then, the firewall whitelists the source address of the client and considers all packets from the client legitimate until the whitelist entry expires.

Figure 1-2 DNS source authentication

[Dr.WoW] [No.16] DNS Flood Attack and Defense-1324699-2 

Let's see the detailed process through the following packet capture screenshots.

1.         The client uses UDP to send a DNS request, as shown in the following figure.

[Dr.WoW] [No.16] DNS Flood Attack and Defense-1324699-3

2.         The firewall responds to the DNS request on behalf of the DNS server, with the TC flag of the DNS reply being set to 1, as shown in the following figure. This flag instructs the client to use TCP to send the DNS requests.

[Dr.WoW] [No.16] DNS Flood Attack and Defense-1324699-4

3.         After receiving the DNS reply, the client uses TCP to send the DNS request as instructed by the firewall, as shown in the following figure.

[Dr.WoW] [No.16] DNS Flood Attack and Defense-1324699-5

However, DNS source authentication is not a one-fit-all solution in real world because not all clients can send TCP DNS requests. If a client cannot send TCP DNS requests, requests of the client cannot be honored, interrupting normal services.

3 Commands

Table 1-1 lists the rate DNS flood attack defense configuration commands on USG9500 V300R001, for example.

Table 1-1 DNS flood attack defense commands



Enable DNS flood attack defense.

firewall defend dns-flood enable

Configure the DNS flood attack defense parameters.

firewall defend dns-flood interface { interface-type interface-number | all } [ alert-rate alert-rate-number ] [ max-rate max-rate-number ]




To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

Created May 28, 2015 08:34:10 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits