A DNS Flood is a type of DDoS attack in which DNS is employed as a variant of a UDP Flood. Spoofed DNS request packets are sent at a high packet rate and from a large volume of source IP addresses. The victim’s DNS servers believe that these are valid requests, and attempts to respond to each one, which can lead to an exhaustion of the DNS infrastructure until it goes down, taking the victim’s domain down with it. In a less severe instance, a DNS Flood will slow down the response time for legitimate DNS requests.
DNS servers are the phonebook of the Internet, helping requestors find the servers they are looking for. A DNS zone is a section of the domain name space in the DNS; each zone delegates responsibility to a single server cluster.
During a DNS flood, the offender attempts to overbear a particular DNS server (or group of servers), lessening the server’s ability to direct valid requests to zone resources.
A DNS Flood is different to a DNS Amplification attack in several ways. DNS amplification is an asymmetrical DDoS attack, meaning that the attacker only needs to send out a small look-up query with spoof IPs, which makes the spoofed target the recipient of a significantly larger set of DNS responses. The attacker’s goal is to saturate the network by exhausting bandwidth. A DNS Flood, however, is a symmetrical attack. A flood of UDP requests attempt to exhaust server-side assets, such as computer processing units (CPU), generated by scripts running on compromised botnets.
A DNS Flood bears closer resemblance to a UDP Flood, since DNS servers rely upon the UDP protocol for name resolution. With UDP-based queries, a full circuit is not established, so spoofing is easier to do. In order to attack a DNS server with a DNS flood, the attacker runs a script from multiple servers. Since Layer 7 attacks like DNS and UDP floods don’t require a response to be effective, the attacker can send packets which are not accurate nor properly formatted. The attacker can spoof the entirety of the packet, including source IP and make it seem as if the attack is derived from multiple sources. Randomized packet data also helps offenders avoid detection by common DDoS mitigation techniques, such as IP filtering.