In the constantly shifting domain of cyber security, Distributed Denial of Service (DDoS) attacks are a powerful tool used by adversaries to disrupt online services and infrastructure by flooding a huge amount of traffic. Over the last few years, a new type of volumetric DDoS attack trend has been observed by the cyber security experts known as Pulse Wave DDoS Attacks.
Unlike the traditional DDoS attacks which maintain a continuous flood of attack traffic to overwhelm system resources, Pulse Wave attacks deliver a huge amount of attack traffic in high-intensity bursts followed by short pauses like a pulse. This makes it very critical for the traditional mitigation strategies to detect and defend.
Figure 1: DDoS-GUARD Pulse Wave DDoS Attack Graph
DNSBomb Pulsing Attack
Recently researchers at Tsinghua University have identified a new potential type of pulse wave DDoS attack named DNSBomb pulsing attack which targets the Domain Name System (DNS) infrastructure.
DNSBomb leverages some inherent mechanisms of DNS protocol such timeout, query aggregation and response fast-returning to construct a powerful pulse wave DDoS attack. Here are the 3 major steps of the attack:
- Accumulating DNS Queries
First the attacker accumulates DNS queries by leveraging timeout mechanism of DNS. They send DNS queries containing their own domain names to the DNS resolvers in such a way that it causes delay to get the answer from the Authoritative Name Server. During this delay, the attacker maximizes the number outstanding DNS queries.
- Amplifying DNS Queries into Responses
Next small-sized DNS queries are amplified into larger-sized DNS responses by using query aggregation mechanism (issuing one resolver-query for multiple simultaneous client-requests on the same domain name), Extension Mechanism for DNS (EDNS(0)) etc.
As per DNSBomb attack specification, 3 types of amplified DNS response can be sent to the victim –
- Response with SERVFAIL response code
- Response with EDNS0 extension
- Response without EDNS0 extension
Figure 2: DNSBomb Amplified DNS Responses
- Concentrating DNS Responses
Finally, the accumulated and amplified DNS Responses are concentrated into a short pulse window and then sent to the target by leveraging the DNS response fast-returning mechanism which creates a powerful pulsing DoS effect in the target server as shown below –
Figure 3: BreakingPoint System’s DDoS Lab Simulated Pulse Wave Attack Statistic
DNSBomb Pulse Wave Attack in Keysight ATI
At Keysight Technologies, our Application and Threat Intelligence (ATI) team has examined the traffic pattern of various possible DNSBomb Pulsing DoS Attacks and published the network traffic pattern of 3 such attacks traffic like “DDoS DNSBomb ServFail Pulse Wave Response Attack”, “DDoS DNSBomb Pulse Wave Attack with EDNS0” and “DDoS DNSBomb Pulse Wave Attack without EDNS0” as part of the BreakingPoint System’s DDoS Lab in ATI-2024-15 Strike Pack released on August 01, 2024.
Figure 4: Pulse Wave DDoS Attacks (DNSBomb) Coverage in BreakingPoint
Leverage Subscription Service to Stay Ahead of Attacks
Keysight’s Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing BreakingPoint Customers to test their currently deployed security control’s ability to detect or block such attacks.