A DNS flood is a type of Distributed Denial of Service (DDoS) attack in which an attacker targets specific Domain Name System (DNS) servers, aiming to overwhelm them with seemingly legitimate traffic, impeding the servers’ ability to allow valid traffic through and stopping a resource or machine for some time. The flood of requests to the machine or resource means it might become unavailable to those trying to reach it.
Domain Name Servers are often thought of as the Internet’s phone book. They map easy to remember domain names to machine friendly Internet Protocol (IP) addresses. When you type in a web address e.g. www.lucyslinks.com, your Internet Service Provider (ISP) views the DNS linked to that domain name, translates it into an IP address (e.g. 216.168.224.70) and directs your Internet connection to the right website. A DNS flood causes a slower response time for legitimate DNS requests because the DNS servers find it difficult to distinguish spoof requests from real ones.
A DNS zone is a specific section of the domain name space in the DNS. Each DNS zone constitutes a unique boundary of authority in which administrative responsibility is delegated to a single server cluster. In a DNS flood attack, the servers’ ability to direct valid requests to zone resources is jeopardized because the servers’ resources are overwhelmed and they can’t look up the IP address in order to direct the user to the correct website/s.
Incapsula defines DNS flood attacks as “symmetrical DDoS attacks” because they try to exhaust server-side assets such as CPU or memory with a flood of UDP (User Datagram Protocol) requests, which are generated from a botnet. By contrast, a DNS amplification attack is an asymmetrical DDoS attack in which the attacker uses a spoofed target IP to send out a small look-up query, effectively making the spoofed IP the recipient of much greater DNS responses. In both instances, the threat actor’s goal is to exhaust the server’s bandwidth capacity and saturate the network, taking down specific websites.
DNS floods are considered Layer 3 attacks and are difficult for on-premises solutions to mitigate. However, there are numerous ways to tackle DNS floods such as using filters to avoid receiving packages from sources that may attack, timing out half open connections or setting UDP, SYN and ICMP and lower levels.