And the trends are not favorable:
Average peak bandwidth up 241% to 7.76 Gbps from Q2 2013 to Q2 2014 (Prolexic/Akamai)
“Over 100 events over 100Gbps this year” -- Arbor
Attacks against DNS were up from 8% to 13.3%--nearly one in seven attacks (Arbor)
Case study: DNS query flood peaked at 110 Mpps and 119 Gbps of legitimate queries (Akamai)
One token bucket per response x querier (or network)
Token bucket has five tokens, and five are added each second
Take one away for each response sent to querier
Once bucket is empty, send no responses
Bucket can go negative, but no more than 15 seconds’ worth
It’ll take 15 seconds to “recharge”
50% of the time, by default, the name server sends a small, truncated response to the querier
If the query was actually sent by an attacker, this response goes to the target, which ignores it
If the querier was legitimate, it’ll retry over TCP
Presto! You’re not useful in amplification attacks
Evgeniy Polyakov proved this
He set up a patched BIND name server and attacked it over a gigabit LAN
It took 10 hours to poison its cache, but it still worked
And while 10 hours seems like a long time...
Updated frequently, and since it’s a zone, it propagates quickly using NOTIFY and IXFR
Enterprises can deploy the Adv DNS Protection either as an external authoritative server or a recursive/caching server inside their network.
This picture shows a typical deployment scenario in the external case. The first scenario helps to protect the network from external internet borne attacks that target the authoritative DNS server
The goal is to never stop serving DNS requests, with intelligence embedded into the Advance DNS Protection product, we are able to handle attacks directly against the DNS appliance that have the explicit intent on disrupting the service. The product will resist the attack and continue handling legitimate DNS queries,
This is a key differentiator from any other DNS server for any vendor.
We protect against DNS based attacks and floods which eliminates the need for overprovisioning bandwidth to protect the DNS server, its not about consuming the WAN bandwidth, its about intelligently handling targeted DNS attacks
Like the DNS firewall, we use continuous, automatic updates to provide protection against evolving attacks, AND leverage our GRID for distributed data and centralized visibility and management
IGMP flood blocked by not allowing ICMP timestamp packets
Land attack, Eyenetdee – land covered by blocking sameip, eyenetdee not used to attack dns, and we block ports it does attack