Mechanisms of DNS Reply Flood Attack and Defense
This section describes the mechanisms of DNS reply flood attack and defense.
An attacker sends massive forged DNS reply packets to a DNS server or host to deteriorate the server processing performance.
The FW collects statistics on the transmission rate of DNS reply packets by destination address and enables source authentication when the rate of DNS reply packets reaches the threshold.
Upon receiving a DNS reply packet, the FW constructs a DNS request probe packet with a new Query ID and source port. After receiving the DNS reply packet from the peer again, the FW checks whether the Query ID and source port in the DNS reply packet are the same as those in the DNS request packet. If they match, the source IP address is whitelisted. Figure 1 shows the procedure of source authentication for preventing DNS reply flood attacks.
