When this happens, customers are seeing lots of DNS queries from a wide variety of never-seen-before addresses. Often these requests are for nonsensical domains or even ‘localhost’ addresses, as they are bot-generated as with the DNS water torture attack. Sometimes attackers will use large Internet DNS resolvers like Yahoo or Google to reflect their attacks off of, so the source addresses may originate there.

If the DNS requests that are clogging up your Internet connections aren’t landing on live addresses, you may see returning ICMP Destination Unreachable messages bouncing back out from your network, which also add to the traffic jam. In these kinds of attacks, the DNS reflection attack acts like a network-volumetric DDoS, designed to fill up your pipes with traffic rather than targeting a specific service or host.

What you can do about it

As mentioned before, preparing your response to a denial-of-service attack is prudent for any organization that depends on the Internet (which is most). It’s also important not to be part of the problem. You should make sure that you don’t have any Internet-accessible resources that could be used in a reflective DDoS attack. This includes DNS resolvers, but can also include any service that accepts unrestricted spoofable traffic from untrusted sources like memcached servers, or services like Simple Service Discovery Protocol (SSDP), Network Time Protocol (NTP), or Character Generator Protocol (CharGEN).²

Unfortunately, what the attackers did with the traffic was far from legitimate. Users of the original domain were served up annoying advertisements, scam messages, click-fraud sites, or malware. In worse cases, scammers have been known to put up imposter versions of the original site to steal the login credentials or payment cards of the customers³

Let’s face it, malware and hacks are going to happen. Detecting and responding on unusual outbound activity is exactly what we want to happen. And as quickly as possible. These customers did the right thing and were able to contain and mitigate a bad situation before it escalated into something far worse.

What you can do about it

Like those customers above, it’s essential to keep a close eye on unusual outbound traffic, whether it’s DNS or otherwise. Attackers will try to hide their tracks by exfiltrating data and commands in a variety of ways, including DNS as it’s so ubiquitous and innocuous. Another common exfiltration method to sneak out is to hide attacker command and control traffic inside TLS/SSL conversations. Without an SSL decryption solution, the victim may never see what’s going on, just a machine web surfing via HTTPS, but not what’s going on inside.

Stay Vigilant

DNS security is still an existential threat to Internet services. Therefore, it is something that needs attention and protection. These are the current common DNS attacks that we’re seeing, so you should make sure your IT and security teams are well-informed about them. Remember how DNS works and that there are three major components that need to be appraised by security: DNS servers, domain name ownership, and DNS client traffic. Attackers know these are critical weak spots that don’t get enough scrutiny. Be ready for them.