Posted February 4, 2015
The “Nonsense Name” Attack is Not New
-by Chris Donovan
CloudShield has a no-nonsense solution.
Network World recently published an article called, “A new kind of DDoS threat: The ‘Nonsense Name’ attack” by Cricket Liu at Infoblox. Contrary to the title of this article, “The “Nonsense Name” attack, also known as the “Random Qname” attack, isn’t so new. At CloudShield, we first saw it at our customer sites in early 2014. By March 2014, we deployed a solution. By August 2014, we wrote about the attack publicly. We’re glad that people in the DNS community, like Network World, are starting to take notice.
First steps to stop this attack
To stop the Nonsense Name attack, Cricket’s article first suggests that you filter out clients that should not have access to the recursive server. This is an obvious and reasonable first step and should be done even without the threat of this attack as a best practice.
The next suggested step, however, is to block the domains targeted in the attack by modifying the configuration of the DNS server. This is going in the right direction, but unfortunately, ends up being a manual process that results in a game of whack-a-mole. There needs to be a more efficient way otherwise, you’re going to need a mighty large hammer.
A no-nonsense solution
This is where CloudShield DNS Defender™ can help you win the whack-a-DNS mole game. If you’re not familiar with CloudShield DNS Defender, it’s a protocol-specific firewall that has been fighting DNS attacks since 2008 and we continue to refine it as attack schemes change. Though it’s known for its great security and performance benefits, it also has inherent flexibility not available in other firewall solutions. When we first encountered the Nonsense Name, it wasn’t intuitively obvious how this attack had caused sluggish DNS performance in our customer’s network.
After doing deeper research and examining our customer’s DNS traffic, however, we could see that it was a ‘bot attack’. We were able to quickly create a new counter measure and deploy it with CloudShield DNS Defender in a few days – this kind of flexibility allows customers to deploy new defenses against emerging threats and try them out on-the-fly. The solution we came up with is now called the, “CloudShield DNS Flow Optimizer™”. It’s the 7th security filter that we’ve since integrated into DNS Defender.
DNS Flow Optimizer to the rescue
The DNS Flow Optimizer filter mitigates the Nonsense Name attack and attacks like it by tracking connections between your recursive DNS servers and the targeted authoritative DNS servers on the Internet. It detects when the authoritative servers stop responding. At that point, DNS Defender automatically provides the NXDomain responses necessary to protect your recursive DNS server. DNS Defender will then check at periodic intervals and again automatically remove the block when the attack subsides.
No more manual process and no more whack-a-DNS mole.
Squashing “Nonsense Name” and bot attacks like it
We were able to deploy this solution at additional customer sites where they were experiencing strange bot attacks that were taking out their recursive and authoritative servers. The Flow Optimizer turned out to be just the thing they needed. If you are having trouble with this type of attack, please give us a holler.
We’d be happy to help you stop the nonsense.