Protecting DNS Infrastructure from Resource Exhaustion Attacks

May 7, 2024

Andres Azcuna
Sales Director, Carahsoft

The Domain Name System (DNS) functions as the phonebook of the internet. It serves to translate IP addresses into readable domain names, enabling end users to access web applications and application programming interfaces (APIs) through fast and reliable internet connections. DNS infrastructure was designed as the building block of the internet, not as a security control point, resulting in DNS servers being viewed as an easy target vulnerable to attack. Protecting DNS servers is critical since a threat to an organization’s servers also has the capacity to impact enterprise operations, profitability and trust with end users.

Threats to DNS Infrastructure

In the evolving landscape of DNS infrastructure, threats pose serious risks to the speed, availability and operation to enterprises’ DNS services. Among these threats are DNS floods, which overwhelm servers with a barrage of requests for resources, effectively rendering them unavailable to legitimate queries. The 2023 Akamai Attack Superhighway State of the Internet report underscores the increasing concern surrounding DNS denial of service attacks across various industry sectors, a trend that is expected to continue to escalate in the future. With DNS infrastructure handling up to seven trillion DNS requests a day, multistage attacks have become the primary mode of attack for the modern threat actor. Through collaborative efforts, attackers have found increasing success by working together and combining different tools during a single attack.

Resource Exhaustion Attacks

Resource exhaustion presents in both people and technology. Exhaustion in people is often the result of staffing challenges, lean crews managing multiple aspects of the network while simultaneously defending against attacks. If one aspect of the network falls under attack, it takes away from their ability to manage and oversee other areas. On the technological side, resource exhaustion attacks seek to overload one piece of the network—a DNS server, a hardware tool, a next-generation firewall—to the point where it can no longer function because it was not designed to handle a heavy amount of traffic. This style of attack can last anywhere from a few minutes to a continuous attack that lasts for days.

Distributed Denial of Service (DDoS), a type of resource exhaustion attack, simulates thousands of computers attempting to access the same resource simultaneously until it can no longer function. The website under attack becomes unavailable due to the sudden onslaught of false traffic that it is unable to manage. DNS is a common target for these DDoS style attacks because the critical services of websites and applications are reliant on the process of domain names translating to IP addresses being uninterrupted. Mitigating this form of malicious traffic presents a challenge, as these servers typically only have access to the IP address of the resolver. Consequently, any attempt to limit traffic based on this address usually results in false positives.

Securing DNS Infrastructure

By implementing a reverse proxy solution that protects on-prem and hybrid DNS infrastructure, organizations can defend existing DNS hardware tools from globally distributed attacks like resource exhaustion and DDoS. Organizations can ensure access to online services and applications remain available by re-routing traffic through an advanced DNS proxy server and filtering out malicious traffic during attacks in real time. An intelligent reverse proxy solution that deploys through an authoritative DNS change made in a domain controller and does not require replacing any existing tools helps organizations identify legitimate traffic from attack traffic. A solution with proactive security policies eliminates time spent on configuring individual settings or having to change them over time. Organizations that use hardware DNS receive the advantage of continued availability and enhanced security of existing investments and solutions that are critical to their network without having to make any major network adjustments. Through real-time monitoring of DNS infrastructure health and performance, organizations can increase the reliability of routing, security and availability of their existing DNS hardware solutions.

With the increase in remote work in the wake of the COVID-19 pandemic, it has become harder to detect and prevent resource exhaustion attacks. DNS resolution for website and application performance is critical, organizations must invest in adequate DNS infrastructure rather than relying on two or three servers to connect with end users. Adoption of a proactive approach that can identify and mitigate vulnerabilities at each stage of the data journey is pivotal to ensuring that DNS infrastructure is secure amid the evolving threat landscape.

Contact our team today to learn more about how to protect your enterprise from resource exhaustion attacks with Akamai Shield NS53, a bidirectional reverse proxy service.