Akamai Diversity

The Akamai Blog

New Best Practice: Ingress Filtering to Deter DNS DDoS

DNS DDoS continues on the trend line established in 2014 - with tens of billions of malicious queries Internet-wide every day. Many of the domains attacked are lightly trafficked, but popular (Alexa 5000) domains are commonly targeted. For example, alternative news sites, a university, and e-commerce sites have been attacked in the past couple of months. Attacks on popular domains require extra care when mitigating to avoid blocking legitimate queries.

It is clear DNS-based DDoS is not going away. There are still around 17 million home gateways with open DNS proxies and various kinds of Internet connected devices like cameras set top boxes and home gateways have been compromised with DDoS malware. In response providers of DNS software continue to add features to help deter the unwanted traffic.  Every major release now has a feature that rate limits recursive queries to domains being attacked (sometimes referred to as "outbound rate limiting"). The idea is to reduce the volume of queries to targeted authoritative servers to avoid overwhelming them and bringing them down.

Nominum recently evaluated this feature and Ralf Weber, Principal Architect at Nominum presented the results at a conference held in Amsterdam by The DNS Operations, Analysis, and Research Center (DNS-OARC). The simple test bed shown below was set up to run tests of authoritative rate limiting for each of the major releases. Ingress filtering was also tested to provide a basis for comparison. Ralf's presentation can be found here:

The results were interesting. Outbound rate limiting succeeded in reducing traffic to targeted authoritative servers. Removing stress from authorities is a good thing. But legitimate queries for attacked domains were also rate limited. This means the attacker actually achieves their goal of denying access to a web resource. For providers this can also mean extra support calls when subscribers can't reach their intended destinations.

Ingress filtering, targeting malicious traffic with fine grained policies and dynamic threat lists, performed much better. All of the attack traffic was blocked and no legitimate queries were lost - the best possible outcome.

Providers everywhere are dealing with DNS DDoS. Their resolvers experience collateral damage, handling large volumes of unwanted queries reflected from open home gateways or generated by malware. Ingress filtering is accurate, adaptive, and automated and has now been shown to be best way to deter bad traffic (DDoS queries) and protect good traffic (subscriber queries). Get it on the list as a new Best Practice!

All testing details can be found in the presentation linked above. It was well received at the conference as DNS DDoS continues to be a highly visible problem across the DNS infrastructure.