• Bloc B-Apt 1, Résidence les jasmins. Avenue de Dollar - Les berges du Lac II

  • Mon - Fri 8.00 am - 6.00 pm

DNS name resolution services are required both to maintain an internet presence as well as to access online resources. The Domain Name System, or DNS, which serves as the Internet’s address book, maps human-friendly names into IP addresses so that devices, applications, and services know how to find one-another. It is one of the core Internet services enabling the communications we take for granted countless times each day.

However, both authoritative and recursive DNS servers are frequently the target of disruptive DDoS attacks, and undefended DNS servers can also be abused for reflection-amplification DDoS attacks against any organization on the Internet, including that of their owners and operators.

Protecting the availability of DNS is key for any organization providing services or content across the Internet. If the DNS infrastructure is unavailable or slow, services depending on it will be impacted. This is why DNS DDoS protection and mitigation are imperative to keeping these services available.

 

Defending DNS with Adaptive DDoS Protection

NETSCOUT has visibility into 50+ percent of all Internet traffic, seeing tens of millions of attacks per year. This threat data is collected in our ATLAS Threat Intelligence system which currently tracks over 1.3 million bots and 500,000 known abusable reflection and amplification systems actively participating in DDoS attacks around the globe.

Knowing the active DDoS participants provides faster detection of attacks, including those that may be below detectable thresholds. This allows for more specific mitigation capabilities instead of the broad, uninformed mitigation used once an attack is detected.  

As DDoS attacks transform either through alternating attacking infrastructure, or a shift in the vectors of an attack, this transformation is tracked and mitigation follows it, learning as it progresses.

The intelligence of knowing the threat landscape, informing detection and mitigation, and learning as attacks transform is Adaptive DDoS Protection, which is paramount in providing precise and effective DNS DDoS mitigation.

DNS-Specific DDoS Mitigations

DNS zone validation

Only allow requests for valid DNS records to pass while other requests are caught by mitigation.

DNS authentication

Attempt to upgrade DNS to use TCP connections. Valid requesting clients will respond, while spoofed attackers and reflectors will not.

DNS malformed traffic detection

Blocks any DNS traffic that does not conform to RFCs.

DNS regex matching

Identify common patterns in DNS payloads to block or pass requests.

DNS and NXDOMAIN rate limiting

Limit individual client request rates when under a Water Torture or other DNS attack.