Not every DNS traffic spike is a DDoS attack 

You’re a community administrator going about your regular enterprise. All of a sudden, you’re seeing an enormous spike in inbound visitors to your web site, your utility or your internet service. You instantly shift sources round to deal with the altering sample, utilizing automated visitors steering to shed load away from overburdened servers. After the quick hazard has handed, your boss asks: what simply occurred? 

Is it actually a DDoS assault? 

It’s tempting to lift a false alarm in these conditions. Distributed denial of service (DDoS) assaults are an more and more widespread challenge, with each the quantity and scale of assaults rising considerably yearly. Loads of community directors will say “will need to have been a DDoS assault of some sort” when there’s a notable improve in visitors, even when they don’t have any direct proof to assist the declare. 

Proving or disproving {that a} DDoS assault occurred is usually a thorny challenge for community directors and even safety groups.  

Should you’re utilizing a fundamental pre-packaged registrar Area Identify System (DNS) providing, you in all probability don’t have entry to DNS visitors knowledge in any respect. Should you’re utilizing a premium DNS service, the information could be there. Most authoritative DNS suppliers have some form of observability possibility. On the identical time, getting it in the fitting format (uncooked logs, SIEM integration, pre-built evaluation) and the fitting stage of granularity could also be a problem

What’s truly inflicting DNS visitors spikes 

We analyze a variety of DNS visitors data with IBM® NS1 Join® DNS Insights, an non-obligatory add-on to IBM NS1 Join Managed DNS.  

DNS Insights captures a variety of information factors immediately from NS1 Join’s world infrastructure, which we then make out there to prospects by way of pre-built dashboards and focused knowledge feeds. 

As we overview these knowledge units with prospects, we discovered that comparatively few of the spikes in total visitors or error-related responses like NXDOMAIN, SERVFAIL or REFUSED are associated to DDoS assault exercise. Most spikes in visitors are as a substitute attributable to misconfiguration. Usually, you’ll see error codes ensuing from round 2-5% of whole DNS queries. Nonetheless, in some excessive instances, we’ve seen situations the place over 60% of an organization’s visitors quantity ends in an NXDOMAIN response.  

Listed here are just a few examples of what we’ve seen and heard from DNS Insights customers: 

“We’re being DDoS-ed by our personal gear” 

An organization with over 90,000 distant employees was experiencing an awfully excessive share of NXDOMAIN responses. This was a long-standing sample, however one shrouded in thriller because the community crew lacked ample knowledge to determine the basis trigger. 

As soon as they delved into the information collected by DNS Insights, it turned clear that the NXDOMAIN responses had been coming from the corporate’s personal Lively Listing zones. The geographic sample of DNS queries offered additional proof that the corporate’s “observe the solar” working mannequin was replicated within the sample of NXDOMAIN responses.  

At a fundamental stage, these misconfigurations had been impacting community efficiency and capability. Digging additional into the information, they discovered a extra severe safety challenge as nicely: Lively Listing data had been being uncovered to the web by way of tried Dynamic DNS updates. DNS Insights offered the lacking hyperlink the community crew wanted to right these entries and plug a severe gap of their community defenses. 

“I’ve been desirous to look into these theories for years” 

An organization that had acquired a number of domains and internet properties over time by way of M&A exercise routinely noticed notable will increase in NXDOMAIN visitors. They assumed that these had been dictionary assaults towards moribund domains, however the restricted knowledge they’d entry to may neither affirm nor deny that this was the case. 

With DNS Insights, the corporate lastly pulled again the curtain on the DNS visitors patterns that produced such anomalous outcomes. They found that among the redirects they’d put in place for bought internet properties weren’t configured appropriately, leading to misdirected visitors and even the publicity of some inner zone data.  

By trying on the supply of NXDOMAIN visitors in DNS Insights, the corporate was additionally capable of establish a Columbia College laptop science course because the supply of elevated visitors to some legacy domains. What might have gave the impression to be a DDoS assault was a bunch of scholars and professors probing a website as a part of a typical train. 

“Which IP has been inflicting these excessive QPS data?” 

An organization skilled periodic spikes in question visitors however couldn’t establish the basis trigger. They assumed it was a DDoS assault of some sort however had no knowledge to assist their principle. 

Wanting on the knowledge in DNS Insights, it turned out that inner domains—not exterior actors—had been behind these bursts of elevated question quantity. A misconfiguration was routing inner customers to domains supposed for exterior prospects. 

Utilizing the information captured by DNS Insights, the crew was capable of rule out DDoS assaults because the trigger and tackle the precise drawback by correcting the interior routing challenge.  

DNS knowledge identifies root causes 

In all these instances, the heightened question visitors that community groups initially attributed to a DDoS assault turned out to be a misconfiguration or inner routing error. Solely after trying deeper into DNS knowledge had been the community groups capable of pinpoint the basis reason behind perplexing visitors patterns and anomalous exercise. 

At NS1, we’ve at all times identified that DNS is a essential lever that helps community groups enhance efficiency, add resilience and decrease working prices. The granular, detailed knowledge that comes from DNS Insights is a precious information that connects the dots between visitors patterns and root causes. Loads of firms present uncooked DNS logs, however NS1 is taking it a step additional. DNS Insights processes and analyzes knowledge for you, decreasing the time and effort wanted to troubleshoot your community. 

Study extra in regards to the data contained in DNS Insights