Mitigate DNS based DDoS attacks

A DNS flood is a type of distributed denial of service attack (DDoS) where an attacker floods a particular domain’s Domain Name System (DNS) servers in an attempt to disrupt DNS resolution for that domain. By disrupting DNS resolution, a DNS flood attack will compromise a website, API, or web application's ability respond to legitimate traffic. DNS flood attacks can be difficult to distinguish from normal heavy traffic because the large volume of traffic often comes from a multitude of unique locations, querying for real records on the domain, mimicking legitimate traffic.

DNS-based attacks are on the rise. DNS flood attacks are only one type of attack against a domain’s Domain Name System. Reflection attacks, cache poisoning, TCP SYN floods, DNS tunneling, and DNS hijacking are also commonly used by attackers to disrupt service for a particular domain that targets the Domain Name System.

See how we stop the largest attacks in our whitepaper

How does a DNS flood attack work

DNS flood attacks constitute a relatively new type of DNS-based attack that has proliferated with the rise of high bandwidth Internet of Things (IoT) botnets like Mirai. DNS flood attacks use the high bandwidth connections of IP cameras, DVR boxes and other IoT devices to directly overwhelm the DNS servers of major providers. The volume of requests from IoT devices saturates the DNS provider’s connection and prevents legitimate users from accessing the provider's DNS servers. The function of the Domain Name System is to translate between easy to remember names (e.g. example.com) and hard to remember addresses of website servers (e.g. 192.168.0.1), so successfully attacking DNS infrastructure makes the internet unusable for most people.

DNS flood attacks differ from DNS amplification attacks. Unlike DNS floods, DNS amplification attacks reflect and amplify traffic off unsecured DNS servers in order to hide the origin of the attack and increase its effectiveness. DNS amplification attacks use devices with smaller bandwidth connections to make numerous requests to unsecured DNS servers. The devices make many small requests for very large DNS records, but when making the requests, the attacker forges the return address to be that of the intended victim. The amplification allows the attacker to take out larger targets with only limited attack resources.

DNS floods represent a change from traditional amplification based attack methods. With easily accessible high bandwidth botnets, attackers can now target large organizations. Until compromised IoT devices can be updated or replaced, the only way to withstand these types of attacks is to use a very large and highly distributed DNS system that can monitor, absorb, and block the attack traffic in realtime.

Cloudflare has an incredibly large network and infrastructure to stop really large attacks on the DNS system. Pairing security with bandwidth savings and fast global DNS response time makes Cloudflare the perfect partner for our business.
SAM KOTTLER
Platform Engineer at DigitalOcean

Layer 3 Name Server DDoS protection

Daily DDoS attack graph

In the first quarter of 2016, Cloudflare saw a 15x increase in individual DoS events. Read more

DNS flood attacks can quickly saturate the capacity of a domain’s Domain Name System (DNS) servers resulting in service disruption for an organization. Cloudflare runs one of the largest authoritative DNS networks in the world. With Cloudflare, when a DNS flood attack targets your website, API, or web application, it will hit our global Anycast network of data centers and get mitigated without impacting the availability of your domain’s services.

Powering over 35% of managed DNS domains, Cloudflare runs one of the largest authoritative DNS networks in the world. Leveraging the significant capacity of our global network, Cloudflare has mitigated some of the largest distributed denial of service attacks in history. We also have the fastest global performance of any managed DNS provider, with an average of a few milliseconds query speed.

Cloudflare Pricing

Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.

Free $ 0 /month per website
Expand to see more
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Learn More

The Free Plan includes all of these features:
  • Limited DDoS protection
  • Global CDN
  • Shared SSL certificate
  • 3 page rules
Compare all features
PRO $ 20 /month per website
Expand to see more
For professional websites, blogs, and portfolios requiring basic security and performance.

Learn More

The Pro Plan includes all of these features:
  • Basic web application firewall (WAF) with Cloudflare rulesets
  • Image optimizations with Polish™
  • Mobile optimizations with Mirage™
  • I'm Under Attack™ mode
  • 20 page rules
Compare all features
BUSINESS $ 200 /month per website
Expand to see more
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized support.

Learn More

The Business Plan includes all of these features:
  • Advanced DDoS protection
  • Advanced web application firewall (WAF) with 25 custom rulesets
  • Custom SSL certificate upload
  • PCI compliance thanks to Modern TLS Only mode and WAF
  • Accelerate delivery of dynamic content with Railgun™
  • Prioritized support
  • 50 page rules
Compare all features
Enterprise contact us
Expand to see more
For companies requiring enterprise-grade security and performance, 24/7/365 emergency support, and guaranteed uptime across one or more Internet assets.

Learn More

The Enterprise Plan includes all of these features:
  • 24/7/365 enterprise-grade phone and email support
  • 100% uptime guarantee with 25x reimbursement SLA
  • Advanced DDoS protection with prioritized IP ranges
  • Advanced web application firewall (WAF) with unlimited custom rulesets
  • Multiuser role-based account access
  • Multiple custom SSL certificate uploads
  • Access to raw logs
  • Dedicated solution and customer success engineers
  • Access to China CDN points of presence (Additional Cost)
  • 100 page rules
Compare all features

Free

$ 0 / month
 
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Pro

$ 20 / month
per domain
For professional websites, blogs, and portfolios requiring basic security and performance.
MOST POPULAR

Business

$ 200 / month
per domain
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized support.

Enterprise

Contact Us
 
For companies requiring enterprise-grade security and performance, 24/7/365 emergency support, and guaranteed uptime across one or more Internet assets.