Home / Industry

Digging Deep Into DNS Data Discloses Damaging Domains

A Terabyte stream of anonymized DNS data collected every day from around the world reveals lots of interesting things. Nominum researchers have developed algorithms to sort through trillions of transactions and find what is usually a tiny fraction that aren't legitimate. Some are queries for controlling malware, some are to send spam, and most recently lots more queries are for DDoS.

Anatomy of a DNS-Based DDoS Attack – Is your network flooded by DDoS Amplification Attacks?A recent trend we're seeing is attackers sending carefully crafted queries targeting a small set of domains each day. By carefully changing subdomain labels they can force resolvers and authoritative servers to do more work. Traffic for the target domains goes from modest to spikes to hundreds of millions of queries per day over a couple of days. Just like DNS amplification these attacks are also designed to use open DNS proxies in home gateways, an issue we have covered extensively. There are still more than 20 million of them across the Internet, and amazingly data shows new ones appearing in some networks.

Initially the domains used for these attacks were for lightly trafficked gaming sites in China. Most are modest ventures, so their authoritative servers are easily overwhelmed. This effectively took the sites offline. More popular sites (Alexa 1000, including some in the Top Ten) are also attacked. A couple of popular pro-democracy news sites have been taken down.

Remediation tactics have to change when popular web sites are involved. Even though the overwhelming majority of queries are malicious it is not acceptable to block good traffic. Coarse grained filters that block all the traffic for a domain just won't work. Too much collateral damage. A robust policy framework, dynamic threat lists to block malicious traffic, and whitelists to protect good traffic are all needed.

After months of watching this activity one thing that's unclear is motive. Who has gained by creating massive amounts of DNS traffic to take down what have mostly been small web sites? What generates concern is what's next? Is someone methodically assessing the DNS infrastructure in preparation for a much larger scale attack? Given the presence of open DNS proxies scaling attacks is simple. Changing target domains to more popular web destinations is trivial. So what's next? Probably prudent to prioritize protection. Learn more


About Nominum – Nominum is the innovation leader in DNS software and Internet Activity Applications. The company's Vantio™ CacheServe software powers the Internet for the world's largest CSPs in 40 countries. Vantio™ ThreatAvert software arms CSP's with the power to stop the spread of inside threats such as botnets and DNS-based DDoS amplification attacks that could impact network availability and reputation. Nominum's N2 applications enable CSP's marketing and customer care teams to leverage subscribers' Internet Activity to better engage, build brand loyalty, improve marketing ROI, and open up new business models. Nominum is a global organization headquartered in Redwood City, CA. Visit Page

Follow CircleID on
Related topics: Cybersecurity, DDoS, DNS, Malware

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet



DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC


Sponsored byVerisign

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign