Andy Ellis's recent post "DNS Reflection Defense" describes how DNS works and lists general guidelines for defending against DNS attacks. This post continues the discussion of DNS protection by describing how Akamai's "eDNS" offering protects customers from both volumetric and reflective attacks on DNS infrastructure.
What is a Volumetric Attack?
In a volumetric attack, a attacker uses a BotNet to generate a large volume of DNS requests. The attacker's goal is to take down the target web site by taking down their DNS infrastructure. A variant of this attack uses spoofed IP addresses to defeat IP address-based access control. Brobot has used such tactics against financial institutions, particularly during Phase II of their attacks.
How Akamai eDNS Defends Against Volumetric Attacks
Akamai eDNS defends against volumetric attacks through excess capacity, rate controls, and a positive security model. Akamai's DNS system is one of the largest in the world. Normal traffic served by Akamai's DNS system is less than 1 percent of total capacity. Akamai eDNS also provides rate limiting per IP and per request type. Requests from specific IP addresses can be limited to pre-defined thresholds, and rate thresholds can be set lower for commonly used DDoS request types such as ANY and DNSSEC. Finally, eDNS can fall back to a positive security model in the rare event that higher rate limiting thresholds are crossed. In this case, eDNS will prioritize traffic from a list of less than 1m named, known, "good" servers. These servers cover 95 percent of all known DNS traffic. The positive security model can effectively mitigate a vector in which the attacker spoofs IP addresses.
What is a Reflection Attack?
In a reflection attack, an attacker makes a request to the open resolver using a UDP packet whose source IP is the IP address of the target. The request is usually one that will result in a large response, such as a DNS ANY request or a DNSSec request, which allows the attacker to multiply up to 100x the amount of bandwidth sent to the target web server. The "multiplication" factor is what makes this particular attack dangerous, as traffic can reach up to 200- 300Gbps. The Spamhaus attack is one example of a recent reflection attack.
How Akamai eDNS Defends Against Reflection Attacks
Akamai eDNS defends against reflection attacks first by using specialized rate limiting on the ANY and DNSSec requests, just as it does in volumetric attacks, this ensures the eDNS is not used as a reflector. As important, because the customer has outsourced DNS to Akamai, they can effectively reject all incoming traffic to their data center on port 53 since DNS resolutions are handled by eDNS. The customer may even choose to block port 53 at the ISP level thus ensuring that their connectivity to the internet is not saturated.
Many steps can and should be taken to promote internet hygiene and reduce the effectiveness of DNS attacks. Until those steps are taken, customers can rely on Akamai eDNS to protect their infrastructure and ensure their websites are accessible to legitimate users.