FortiGuard Labs Threat Research

Patented Firmware Repels Large-Scale DDoS attacks on DNS Services

By Hemant Jain | March 30, 2016

DNS-Related DDoS Attacks Are on the Rise

Domain Name System (DNS)-related distributed denial of service (DDoS) attacks are on the rise because hacktivists and cyberterrorists are finding it easy to use botnets to stage large volumetric reflection and amplification of queries DDoS attacks to overwhelm servers.

When these attacks succeed, Internet services are not available—as we saw on New Year’s Eve 2015, when experienced a large-scale DDoS attack. Whether the target is an enterprise, organization, or hosted services provider, a DDoS attack frustrates users and customers, and often results in lost revenue and brand equity. Plus, during the chaos of DDoS attacks, hackers can easily capture users’ credentials, credit card info, and passwords for illicit use. 

Because Fortinet works with our customers and partners to constantly test environments for DDoS mitigation, we realize that standard protections against DDoS attacks—such as firewalls, intrusion prevention systems, DDoS services, and dedicated appliances—are not keeping pace with the sophistication of DDoS attacks, and at the same time can significantly hinder performance. To address this challenge, we have developed advanced DDoS mitigation technology so our appliances can repel large-scale DDoS attacks on DNS services.  

Blocking Volumetric Reflection, Amplification, and Anomaly Attacks on DNS

While our competitors have taken a software-centric approach to mitigating DNS-related DDoS attacks, our FortiDDoS appliances are specifically designed to protect our customers’ DNS servers, while providing the high-performance protection that only Fortinet can deliver.  Fortinet FortiDDoS appliances apply hardware logic to block volumetric reflection, amplification, and anomaly attacks on DNS infrastructure using new, patented hardware logic that provides stateful filtering, granular behavioral thresholds, and a high-capacity, high-performance, and low-latency cache to help prevent DNS servers from getting overloaded under attack. 

Service Provider Improves Availability and Protection for 75,000+ Hosted Domains

ROMARG is the leading web hosting and domain registration services provider in Romania, offering shared hosting and dedicated hosting for clients in Romania, Europe, and the United States. The hosted service provider is constantly under DDoS attacks, which can last for hours or days, and range in size from 100 Mbps to more than 10 Gbps. ROMARG relies on Fortinet appliances to protect its cloud infrastructure.

CEO Radu Tofan explains, “With the help of FortiDDoS we can protect more than 75,000 hosted domains against DDoS attacks with a minimum impact on the provided services. With the new added functionality for mitigating DNS attacks, we can improve our anti-DDoS protection and offer improved availability for the hosted services we provide to our customers.”

Fortinet Ups the Ante on DDoS Attack Mitigation for DNS Services with New Firmware

Fortinet FortiDDoS appliances are engineered to mitigate network layer DDoS attacks, transport layer DDoS attacks, and application layer DDoS attacks for HTTP protocol.  With our new firmware, these appliances also mitigate DDoS attacks on DNS services. Its new patented features include:

  • High performance DNS Cache---the appliance provides a hardware logic-based DNS cache that can respond on behalf of the server at high speed under flood.
  • DNS query response matching—avoids reflection DNS attacks (from botnets via millions of available open DNS resolvers). Only responses seen with a corresponding query are allowed through the appliance.
  • Legitimate queries storage—avoids phantom domain and random subdomain DNS DDoS attacks. Only queries that were seen during the normal times are given preference during a DNS query flood.
  • Rate anomalies—granular thresholds for DNS specific parameters allow the appliance to learn behavioral thresholds and use them to detect anomalies and mitigate attacks.
  • Access control lists (ACLs)--network and security admins can block unwanted traffic with DNS protocol-specific ACLs that don’t impede appliance performance.
  • Header anomalies filtering—anomalous DNS protocol headers drop scripted attacks at a high rate.

FortiDDoS appliances use 100% hardware-based DDoS Protection, with up to 6x FortiASIC-TP2 transaction processors. Models offer throughputs up to 36 Gbps with connectivity options including 10 GE SFP+ ethernet and bypass ports.  The appliances are designed to handle from 1 M DNS queries to 12 M DNS queries per second under attack, depending on the model.

When combined with the FortiDDoS appliances’ powerful features, such as Service Protection Profile (SPP), Internet Reputation Service, and support for BCP-38 using hardware ACLs, these new features up the ante for DDoS attack mitigation for DNS Services. Advanced DDoS protection for DNS Services is available for FortiDDoS 200B, 400B, 800B, 1000B, 1200B and 2000B appliances.

Is Your Data Center Ready for Today’s DDoS Attacks?

The evolving nature of DDoS attack technologies requires organizations to have greater foresight and more proactive defenses for network and application-level services. ISP DDoS protections aren’t enough against attacks on DNS services, which require an additional level of DDoS security. Download the white paper to see if your data center is ready for today’s DDoS threats. You’ll learn about DDoS attack types, protection methods, and how to test your detection and mitigation defenses.