In a Denial-of-Service (DoS) attack, an attacker bombards a victim network or server with a large volume of message traffic. The traffic overload consumes the victim's available bandwidth, CPU capacity, or other critical system resources, and eventually brings the victim to a situation in which it is unable to serve its legitimate clients. Distributed DoS (DDoS) attacks can be even more damaging as they involve creating artificial network traffic from multiple sources simultaneously. In a “conventional” massive-bandwidth attack, the source of the attack may be traced with the help of statistical analysis of the source Internet Protocol (IP) addresses of incoming packets. The victim can subsequently filter out any traffic originating from the suspect IP addresses, and can use the evidence to take legal action against the attacker. Many attacks, however, now use “spoofed” IP packets—packets containing a bogus IP source address—making it more difficult for the victim network to defend itself against attack.
Domain Name System (DNS) servers are a favored target of DDoS attackers. DNS is an essential component of the Internet protocol suite, without which most Internet services are disabled. DNS provides a distributed database of domain names and their associated information, such as IP addresses and alias names. DNS servers use the database to translate domain names into their corresponding IP addresses and to retrieve other information associated with specific names. DNS is described in detail by Mockapetris in “Domain Names—Concepts and Facilities,” published as Request for Comments (RFC) 1034 (1987) of the Internet Engineering Task Force (IETF) Network Working Group; and in “Domain Names—Implementation and Specification,” published as IETF RFC 1035 (1987). Both of these documents are incorporated herein by reference. They are available at www.ietf.org.
The DNS protocol is based on queries and responses (also referred to as requests and replies). The queries are directed from a client (which may itself be a DNS server) to a name server (NS), requesting information regarding a specific domain name. Each such query asks for either the IP address of the domain name or information that could be used in order to find the requested information. The DNS server returns a response to the client, containing one or more Resource Records (RR), each of which corresponds to a specific domain name. Each such RR is represented in the reply by a triple (domain name, type, value), with the following meanings:                1. Domain name: The key of the RR, normally the domain name about which a query was made.        2. Type: Either A, or NS, or CNAME, as described below.        3. Value: The content of the RR, which may be an IP address (for type A) or another domain name (for type NS or CNAME).The RR in the reply also carries a Time-To-Live (TTL) parameter, indicating the length of time for which the client may keep this RR in its cache. If TTL=0, the client should not store the record, and should consult a DNS server again the next time it requires information associated with the domain name in question.        
The DNS request may also include an identifier (ID) field, with a unique ID generated by the requesting client. The server inserts this ID in the DNS response, thus enabling the client to associate the response with its own, earlier request.
Each RR in the DNS database is essentially a pair of a domain name (the key of the RR) and a piece of information related to this domain name. There are three types of RR of relevance to the present invention: A, NS, and CNAME:                Resource record of type A: The content of a RR of this type is simply the IP address of the key.        Resource record of type DNS Server (type NS): The content of a RR of this type is another domain name. The domain name in the RR is the name of a domain name server, which is the “authority server” for the key domain name. The semantics of this record type is “you should ask the name server whose name is listed here for the IP address of the key,” i.e., it redirects the requester to the authority name server.        Resource record of type Canonical Name (type CNAME): The content of a RR of this type is again a domain name, but in this case it is another domain name for which the key domain name is an alias. This record redirects client to query a name server using the canonical name as the new key.        
In a DDoS attack on a DNS server, a hacker typically submits a large number of simultaneous DNS requests, which overload the capability of the server to respond. The DNS protocol does not use any handshake mechanism, and the notion of a session between the client and the server does not exist. The vast majority of DNS request and reply traffic on the Internet is over the User Datagram Protocol (UDP), which is a connectionless protocol. Therefore, it is easy for hackers to spoof DNS/UDP messages (including the source IP address) and thus to overload the DNS server without the server being able to easily identify the source IP addresses from which the attack is coming.