Mechanisms of DNS Request Flood Attack and Defense
This section describes the mechanisms of DNS request flood attack and defense.
DNS Packet Exchange Procedure
Generally, when a user enters the domain name (such as www.huawei.com) of a website in the address box of a browser, the domain name is sent to a DNS cache server to request the IP address of the domain name. If the DNS cache server stores the mapping between the domain name and IP address, it sends the IP address to the client.
If the DNS cache server does not store the mapping between the domain name and IP address, it sends a domain name query request to the authoritative DNS server. When the authoritative DNS server replies with the IP address, the DNS cache server stores the IP address in the local cache to reduce DNS traffic on the Internet. After that, if this domain name is requested, the DNS cache server directly replies with the record in the cache until the record is aged out. Figure 1 shows the DNS packet exchange procedure.
Common DNS flood attack: An attacker sends massive DNS requests carrying domain names that do not exist. As a result, the DNS cache server cannot find the mappings in its cache and must send DNS requests to the authoritative server. When the number of requests overload the DNS cache server, the server will be unresponsive to legitimate requests.
Defense Mechanism (Against Cache Server Attacks)
The DNS server supports queries using TCP and UDP. However, most of queries are performed using UDP. UDP provides a connectionless service, which is faster and has a smaller overhead compared with TCP. However, the DNS server can be configured to use TCP. In this situation, when the client sends a query request to the DNS server, the DNS server receives a query request, it replies with a message whose TC flag is set to 1, indicating that TCP must be used. The FW uses this mechanism to defend against DNS flood attacks on the cache server. Figure 2 shows the procedure of source authentication by the DNS cache server.
During source authentication, the FW instructs the client to send TCP DNS request packets to check the validity of source IP addresses. This implementation consumes the TCP connection resources of the DNS cache server.
Source authentication in this mode effectively defends against DNS request attacks on the DNS cache server. However, this mode does not apply to all scenarios on live networks because not all clients can send TCP DNS requests. If a client cannot send TCP DNS requests, requests of the client cannot be honored.
Defense Mechanism (for Authoritative Servers)
Source authentication by the authoritative server, also called the redirection mode, can be used to defend against DNS request flood attacks. To minimize false positives and avoid slowing down response to legitimate requests, the FW implements redirection only on source IP addresses that request targeted domain names.
As shown in Figure 3, the FW collects statistics on DNS requests by destination address and enables redirection when the transmission rate of DNS request packets exceeds a specified threshold.
- The FW returns an alias address to the source address. If the source address is forged, no reply will be received. If so, the source address is considered illegitimate, and the packet is discarded.
- If the source address is real, the DNS client will send a DNS request for the alias address. The source address passes the authentication, and the FW whitelists the source address.
- The FW redirects the correct address. When the source request the correct address, the request matches the whitelist and is forwarded to the authoritative server.
