Lumen Operational Advisory: Anatomy of a DNS Water Torture Attack

Lumen has seen a significant increase over the last few months in attackers leveraging the DNS Water Torture Attack, a form of distributed denial of service (DDOS) attack. Here’s what you need to know about these attacks – what they look like, how they function, and how they can be mitigated.

What is a DNS Water Torture Attack?

A DNS Water Torture attack prepends pseudo-random alphanumeric characters to valid DNS domain queries. Because these queries are a) not cached, and b) not actual legitimate DNS hostnames, the queries are sent to the authoritative DNS server for the domain (zone).

Such a malicious query might look like “afasdfasfasd.company.com”, where company.com is a legitimate domain name hosted on the victim’s DNS server. In some cases, attackers with knowledge of a customer’s DNS naming conventions have been known to use pseudo-random characters that are similar to valid host names, leading a customer to initially think the queries are valid.

The authoritative DNS server sends NX (Non-existent) domain responses to the sources of the malicious queries. Due to the nature of DNS queries, the volume of traffic is fairly small in bandwidth but has been seen to be significant in packet rate, reaching in some cases upwards of 4 million packets (queries) per second though more typically between 50,000-300,000 packets (queries) per second.

The purpose of this type of attack is to overwhelm the resources of the authoritative DNS server, preventing it from responding to valid DNS queries. The victim’s internet bandwidth will not be saturated, but external clients may not be able to resolve the victim’s public domains, depending on whether domain names have been cached and for how long caching is valid. If the authoritative DNS server also functions as a public resolver for internal queries, internal resources are also no longer able to resolve public domains due to the DNS server being overwhelmed by the attack.

Who is Vulnerable?

Customers hosting their own public/external DNS infrastructure that responds to DNS queries for their valid domains are potentially vulnerable to DNS Water Torture Attacks. If the same public DNS infrastructure also doubles as a public resolver for internal queries then the risk is effectively doubled.

How can DNS Water Torture attacks be mitigated?

There are a number of ways in which DNS Water Torture attacks can be successfully mitigated and/or risk averted:

1. Leverage a distributed DNS architecture which can absorb the large volume of attack traffic by spreading the attack across multiple resources.
2. Lumen DDoS Mitigation platform can successfully mitigate DNS Water Torture attacks. This requires customers to provide Lumen with a complete copy of all DNS zones. Lumen leverages the complete list of zones to build a list of valid FQDN’s (fully qualified domain names), and will discard any queries that do not match the list.
   a. Note: Customers must have Lumen^® DDoS Mitigation Service for Lumen to mitigate attacks.
   b. Depending on the number of DNS zones, Lumen can configure automated import of zones, but this requires the customer to allow DNS Zone transfers from Lumen.
3. A best practice is to not leverage the same DNS infrastructure for responding to public queries and resolving external domains for internal clients. While this practice does not mitigate DNS Water Torture Attacks, it serves as a risk mitigation technique for internal clients, allowing them to continue to resolve external domains during the attack.

This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue.