Computers and computer networks are routinely subjected to increasingly-complex and problematic cyber-attacks from malicious actors. Denial-of-service (DoS) attacks, for example, attempt to disrupt the operation of a computer or other network resource by overwhelming the computer or network resource with superfluous requests and thereby attempt to prevent legitimate requests from being handled. One type of DoS attack is a distributed denial-of-service (DDoS) attack, which relies on numerous networked computers (which are often compromised and participate in an attack without the knowledge of their owners) to issue superfluous requests from numerous sender addresses. Because the superfluous requests do not originate from the same sender address, a DDoS attack is generally more difficult to counter than a DoS attack originating from one machine, as the latter of which generally can be countered by blocking all network traffic from that single machine and continuing to handle traffic from other, presumably legitimate, machines.
Some DDoS attacks are directed against the Domain Name Service (DNS), which is a distributed directory service that maps computers and other network resources to specific addresses and enables such resources to be accessed via domain names rather than the specific addresses associated with those resources. Domain names generally take the form of strings of alphanumeric characters separated by periods, e.g., “us.ibm.com,” with the string “com” referring to a top level domain, the string “ibm” referring to a domain, and the string “us” referring to a sub-domain of the “ibm” domain. DNS systems generally handle DNS requests by returning either DNS entries corresponding to requested domain names or invalid responses that occur whenever a lookup of a requested domain name fails to locate a matching DNS entry.
DNS systems may be both hierarchical and decentralized in nature such that individual DNS servers will either respond to a DNS request by returning a DNS entry that matches the request if such a match can be found, or by passing the request on to a higher order DNS server to attempt to find a matching DNS entry. Higher order DNS servers may be designated root and/or authoritative DNS servers, with root DNS servers handling top level domains such as “com,” “edu,” “gov,” etc., and with authoritative DNS servers generally handling all of the sub-domains for one or more particular domains. Authoritative DNS servers are tasked with maintaining an accurate set of mappings for all of the sub-domains of their respective domains, such that whenever an authoritative DNS server is unable to find a matching DNS entry for a particular DNS request, the fact that no such entry exists can be assumed. Lower level DNS servers, in contrast, may be referred to as recursive DNS servers, as these DNS servers generally maintain a cache of DNS entries from authoritative DNS servers, and whenever those DNS servers are unable to service a DNS request, they pass the DNS request along to a higher order server for processing.
The hierarchical nature of a DNS system, however, has been exploited by some DDoS attacks to overwhelm authoritative DNS servers. With such attacks, generally several attack machines issue DNS requests for numerous random non-existent sub-domains for a particular domain. The requests are then passed up through the DNS hierarchy from DNS server to DNS server until an authoritative DNS server is reached, at which point the request is rejected and an invalid response is returned back through the hierarchy to the requesting machine. Since the recursive DNS servers in the hierarchy cache only valid DNS entries, these malicious DNS requests for random sub-domains will generate network traffic for the multiple requests and responses passed through the hierarchy, and ultimately overwhelm or even crash the authoritative DNS server that ultimately handles all of the malicious DNS requests.
Therefore, a continuing need exists for a manner of addressing DoS attacks to a DNS system.