In the ever-evolving landscape of cybersecurity threats, Distributed Denial of Service (DDoS) attacks act as powerful weapons used by attackers to disrupt online services and infrastructure. Among the multitude of DDoS attack methods, one method stands out for its cunning strategy and relentless impact is DNS Water Torture attacks.
Figure 1: Cisco’s analysis of DDoS total attack history and predictions
Understanding DNS Water Torture
The term “DNS Water Torture” draws an analogy from the famous “Chinese water torture”, a method of psychological torment. In the original water torture, droplets of water fall consistently on a person’s forehead, causing immense distress over time.
Similarly, DNS Water Torture attacks involve a relentless barrage of malicious DNS queries directed at the target’s DNS infrastructure. These queries may be repetitive, continuous, and slowly escalating in intensity. The goal is to overwhelm the DNS server’s resources and disrupt its ability to function properly, causing a denial of service.
Attack Execution Steps
Following are the execution steps of the DNS Water Torture attacks:
-
Generation of Queries: The attacker creates a script using different types of algorithms like Domain Generation Algorithm (DGA) that generates thousands of DNS queries per second.
-
Sending Queries: These generated subdomain queries are sent to various DNS servers, including those belonging to the Victim’s organisation. Because these subdomains or IPs do not exist, each query triggers a recursive lookup process.
-
Server Response: Victim’s DNS server receives these queries and, finding no entries in its cache (because these subdomains are random and numerous), attempts to resolve each one. This often involves contacting higher-level DNS servers to confirm that the subdomains do not exist.
-
Resource Drain: Processing these numerous, non-cacheable queries consumes significant computational and network resources on Victim’s DNS servers. This can slow down the server’s response time or even lead to server downtime, affecting all legitimate queries for “victim.com”.
Types of DNS Water Torture Attacks
Three most popular and common types of DNS water torture DDoS attacks are:
- Pseudorandom Subdomain (PRSD) Attack
In a Pseudorandom Subdomain (also known as PRSD) attack, the attacker floods the DNS server of a specific web domain with a massive number of random subdomain DNS queries. These queries are typically generated algorithmically like using Domain Generation Algorithms (DGA) and may appear legitimate at first glance.
For this type of attack, the DNS queries sent by the attacker looks like below:
- NXDOMAIN (NX) Attack
In an NXDOMAIN Attack, the attacker queries for a Non-Existent Domain which causes flooding of the DNS resolvers with queries for non-existent domain names. Here the target is the local DNS servers and network providers. When their Authoritative Name Server receives a query for a domain that does not exist, it responds with an NXDOMAIN (Non-Existent Domain) response. By continuously querying for non-existent domains, the attacker aims to exhaust the local DNS cache of intermittent DNS resolvers and force them to repeatedly query random authoritative DNS servers for non-existent domains.
For this type of attack, the DNS queries sent by the attacker looks like below:
- Pointer (PTR) Attack
In a PTR (Pointer) Attack, the attacker inundates the DNS server with reverse DNS lookup requests, also known as PTR queries. Reverse DNS lookups map IP addresses to domain names, and these queries are typically used for network troubleshooting or security purposes. However, in a PTR Attack, the attacker floods the intermittent DNS servers with a high volume of PTR queries, overwhelming their capacity to process these requests efficiently.
For this type of attack, the reverse DNS lookup queries sent by the attacker looks like below:
DDoS DNS Water Torture Attacks in Keysight ATI
At Keysight Technologies, our Application and Threat Intelligence (ATI) team, researchers have examined the traffic pattern of various DNS Water Torture Attacks and they have published the network traffic pattern of 3 popular attacks traffic of such attack as part of BreakingPoint System’s DDoS Lab in ATI-2024-09 Strike Pack released on May 10, 2024.
Figure 6: DNS Water Torture DDoS Attack Coverage in BreakingPoint
Leverage Subscription Service to Stay Ahead of Attacks
Keysight’s Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing BreakingPoint Customers to test their currently deployed security control’s ability to detect or block such attacks.