3 Ways to Use DNS Rate Limit Against DDoS Attacks

Tips to take advantage of this powerful defense

DDoS attacks on the rise

Domain Name Service (DNS) distributed denial-of-service (DDoS) attacks powered by techniques like DNS amplification and DNS reflection are launched on a daily basis against large DNS providers.

Almost every transaction on the Internet starts with a DNS request, making DNS an extremely critical service and also an interesting target for individuals or organizations aiming to disrupt a particular Internet service. Many possible solutions to defeat these attacks have being discussed, but unfortunately, like in many other security issues, there is no silver bullet or definitive solution.

Popular countermeasures

Overprovisioning and rate limiting are two of the most popular countermeasures used by the network administrators to protect against these types of attacks.

Overprovisioning can be as simple as deploying more machines to increase the capacity of the DNS server farm in order to support regular traffic load and absorb peak load generated by an attack. Although this approach is interesting from the DNS application or hardware vendor point of view, in many cases this is not true for the DNS provider.

The reason is that overprovision doesn’t just mean more DNS servers. It means more rack space, power consumption, cooling, and additional complexity and resources for operating and managing the DNS infrastructure – a big capital outlay. At the end of the day, you’re just putting more soldiers out to die instead of arming them better to improve their effectiveness.

In addition to the economical factor, overprovisioning can cause negative impact on the technical side if not done properly. Side effects of adding machines are the reduction of overall cache hit rate and the consequent increase in DNS latency.

On the other hand, DNS rate limiting is commonly considered the most effective defense against DDoS attacks since it gives network operators a fine-grained control on the traffic reaching and leaving the DNS server farm.

3 ways to use DNS rate limit to protect against DDoS

1. Rate limit by source IP address

This type of rate limit allows specifying how many DNS queries per time slot can be accepted from a particular IP or subnet, blocking any attack or misuse that sends DNS requests above the configured threshold.

This throttling mechanism will require the attacker to spoof a much larger IP address range in order to reach the query rate necessary for the attack to succeed.

Before enforcing the rate limit rules on your network, it is strongly recommended to test these rules on monitor or test mode where the offending requests are not actually dropped, only logged. This procedure will help identify the traffic patterns of your network and give confidence that the rate-limiting rules will not harm legitimate traffic.

For authoritative DNS servers, this type of rate limiting can be tricky since the source IP address that can reach your DNS server is unknown. For this type of DNS server, the DNS Response Rate Limiting (DNS RRL) is recommended.

2. Rate limit by destination IP address

The destination IP address rate limit is useful when the operational load limit of a DNS server is known and you don’t want to reach this limit in order to avoid unpredictable and undesirable behaviors caused by an overloaded DNS server.

By using this type of rate limiting you can specify the maximum number of queries that can reach each DNS server on the server farm, dropping any additional traffic above this threshold (that would be discarded anyway) and thus protecting the DNS server from being overwhelmed by receiving more queries than it can handle.

3. Rate limit by DNS query type

When more fine-tuning is necessary on rate limiting, it’s possible to specify rules based on DNS query type. There are different types of DNS queries; some of them are much more common than others, for example, type A, AAAA, and pointer (PTR) queries.

This type of rate limit can be used to block critical deviations from the average DNS query type distribution that can be considered an important indication of an attack.

It’s possible, for example, to specify rules to enforce that a particular IP address or subnet can only send five requests of type A, two requests of type AAAA, two requests of type PTR, and one request of the remaining types. On this last example, the query type rate limit is used in conjunction with source IP address rate limit in order to have a fine-grained control over the DNS traffic.

As mentioned with the source IP address rate limit, running the rules on monitor or test mode before enforcement mode is strongly recommended.

Flexibility is key

No matter which type of rate limit you want to use, it’s important to have a DNS defense infrastructure with the ability to offer and combine all these types of rate limiting. This will provide you the flexibility to use any combination to better protect your DNS service from the ever-changing DNS attack landscape

Sandro Lima
About Sandro Lima
Sandro Lima is a telecommunications engineer with more than 12 years of experience designing and deploying network and security solutions for major telecom carriers and ISPs across the globe. Cybersecurity, IP Network Technologies, Deep Packet Inspection, and DNS are some of his specialties. Sandro is currently part of the Sales Engineering team at Cloudshield Technologies, responsible for the North American region.