Mitigate DNS based DDoS attacks

A DNS flood is a type of distributed denial of service attack (DDoS) where an attacker floods a particular domain’s Domain Name System (DNS) servers in an attempt to disrupt DNS resolution for that domain. By disrupting DNS resolution, a DNS flood attack will compromise a website, API, or web application's ability respond to legitimate traffic. DNS flood attacks can be difficult to distinguish from normal heavy traffic because the large volume of traffic often comes from a multitude of unique locations, querying for real records on the domain, mimicking legitimate traffic.

DNS-based attacks are on the rise. DNS flood attacks are only one type of attack against a domain’s Domain Name System. Reflection attacks, cache poisoning, TCP SYN floods, DNS tunneling, and DNS hijacking are also commonly used by attackers to disrupt service for a particular domain that targets the Domain Name System.

See how we stop the largest attacks in our whitepaper

Contact Our Team

How does a DNS flood attack work

DNS flood attacks constitute a relatively new type of DNS-based attack that has proliferated with the rise of high bandwidth Internet of Things (IoT) botnets like Mirai. DNS flood attacks use the high bandwidth connections of IP cameras, DVR boxes and other IoT devices to directly overwhelm the DNS servers of major providers. The volume of requests from IoT devices saturates the DNS provider’s connection and prevents legitimate users from accessing the provider's DNS servers. The function of the Domain Name System is to translate between easy to remember names (e.g. example.com) and hard to remember addresses of website servers (e.g. 192.168.0.1), so successfully attacking DNS infrastructure makes the internet unusable for most people.

DNS flood attacks differ from DNS amplification attacks. Unlike DNS floods, DNS amplification attacks reflect and amplify traffic off unsecured DNS servers in order to hide the origin of the attack and increase its effectiveness. DNS amplification attacks use devices with smaller bandwidth connections to make numerous requests to unsecured DNS servers. The devices make many small requests for very large DNS records, but when making the requests, the attacker forges the return address to be that of the intended victim. The amplification allows the attacker to take out larger targets with only limited attack resources.

DNS floods represent a change from traditional amplification based attack methods. With easily accessible high bandwidth botnets, attackers can now target large organizations. Until compromised IoT devices can be updated or replaced, the only way to withstand these types of attacks is to use a very large and highly distributed DNS system that can monitor, absorb, and block the attack traffic in realtime.

Cloudflare has an incredibly large network and infrastructure to stop really large attacks on the DNS system. Pairing security with bandwidth savings and fast global DNS response time makes Cloudflare the perfect partner for our business.

SAM KOTTLER
Platform Engineer at DigitalOcean

Layer 3 Name Server DDoS protection

In the first quarter of 2016, Cloudflare saw a 15x increase in individual DoS events. Read more

DNS flood attacks can quickly saturate the capacity of a domain’s Domain Name System (DNS) servers resulting in service disruption for an organization. Cloudflare runs one of the largest authoritative DNS networks in the world. With Cloudflare, when a DNS flood attack targets your website, API, or web application, it will hit our global Anycast network of data centers and get mitigated without impacting the availability of your domain’s services.

Cloudflare runs one of the largest authoritative DNS networks in the world. Leveraging the significant capacity of our global network, Cloudflare has mitigated some of the largest distributed denial of service attacks in history. We also have the fastest global performance of any managed DNS provider, with an average of a few milliseconds query speed.