A significant problem facing the Internet community is that online businesses and organizations are vulnerable to malicious attacks. Cyber-attacks have been executed using a wide arsenal of attack techniques and tools targeting both information maintained by online businesses and their IT infrastructures. Cyber-attacks typically aim to steal data, disable applications or services, or damage online assets of organizations. For example, a domain name system (DNS)-based distributed denial-of-service (DDoS) attack is an example of an attack that can damage the network infrastructure and disable applications, services, and websites.
One method of executing DNS-based DDoS attacks is by exploiting recursive DNS resolvers to send a query flood to authoritative DNS servers. Such attacks are collectively referred to as a recursive random subdomains attack. Execution of such an attack is described herein with respect to FIG. 1. A recursive random subdomain attack can also target the recursive resolver itself by consuming CPU resources and denying service from legitimate customers.
A recursive DNS resolver 110 is deployed between a client device 120 and a plurality of authoritative DNS name servers 130-1 through 130-n. The client device 120 sends a recursive query to the DNS resolver 110 including a query name. The DNS resolver 110 returns an IP address corresponding to the query name. A query name typically includes one or more labels delimited by periods that are translated from right (“top level domain”) to left (“sub domain”). For example, in a fully qualified domain name (FQDN) of “www.example.com.”, the root level is represented by the ‘.’, top level domain is “.com”, the domain is “example.com”, and the sub domain is “www”.
An authoritative DNS name server 130 answers only the queries for the zone (a domain name space) that it is responsible for, in order to quickly respond to resolver queries. An authoritative name server 130 does not respond to recursive queries and does not cache query results.
To resolve a FQDN, the DNS recursive server (also referred to as a DNS recursive resolver) 110 first checks if an IP address for the domain name is saved in its cache. If so, the IP address is returned in a query response. If the query cannot be resolved based on the cached information, the DNS recursive resolver 110 queries a root DNS server (e.g., the name server 130-1).
If the root name server 130-1 is authoritative for the top-level domain (e.g., “.com”), the server 130-1 refers the resolver to the next authoritative DNS name server for the domain (e.g., “example.com”). The name server (e.g., the name server 130-2) delegated by the root name server 130-1 refers the query to yet another DNS server (e.g., the name server 130-n) that is authoritative for the next sub domain level (e.g., “s1.example.com”). This trail of referrals continues until the FQDN is resolved. Thus, queries are often forwarded to multiple authoritative DNS name servers 130. The recursive resolver continues until the name server in charge of the domain (e.g., “www.s1.example.com”) returns the IP address to the recursive resolver, which forwards it to the original requester.
The full domain name can also be resolved by querying only one authoritative DNS server, as the DNS recursive resolver 110 has knowledge about such a name server. A domain name fully resolved by one of the name servers 130-1 through 130-n is cached at the DNS resolver 110 and returned as a query response to the client 120.
If the root name server 130-1 is not authoritative for that particular top-level domain name, the root name server 130-1 refers the query to other authoritative DNS name servers 130 that may be able to resolve the query.
DNS queries and responses are transmitted using the user datagram protocol (UDP) and, thus, such transmissions are vulnerable to various forms of malicious activity. A recursive DNS attack targets the recursive DNS resolver 110 to achieve denial of service for legitimate users using the same resolution service. To this end, during a recursive DNS attack, the attacker generates multiple DNS queries using forged and random full or sub domain names. The recursive DNS resolver 110 triggers the resolution process discussed above to resolve these queries, as most likely the responses are not cached. Handling a magnitude of recursive DNS queries overloads the operation of the DNS resolver 110. Furthermore, a crafted recursive random subdomain attack can also flood a specific target domain.
Existing cyber-security solutions are not effective or efficient in detecting recursive DNS attacks. Typically, such solutions are designed to block recursive DNS queries using a black list. A black list includes domain names known to be invalid or forged domain names. However, a black list is not comprehensive, and a malicious query to resolve a domain name not designated in the list may be processed by the DNS resolver 110. Thus, black lists can be easily exploited by attackers to execute a recursive DNS attack.
Another existing technique for detecting DNS-based DDoS attacks is identifying deviations from a normal rate of incoming requests to the DNS resolver 110. Such a technique may be efficient for detecting flood type behavior (a high number of resolver queries in a short time interval), but is not efficient for detecting recursive DNS attacks, which are not characterized by flood behavior.
In most cases, a recursive random subdomain attack requires manual intervention under attack in order to accurately distinguish between attack “bad” queries and legitimate “good” queries. There are stateless flood-proof methods that can automatically and accurately filter only “good” queries in a random subdomain DNS attack.
Therefore, it would be advantageous to provide an efficient solution that would cure the deficiencies of existing security solutions.