Skip to main content

Do More to Prevent DNS DDoS Attacks

Dave Piscitello, on behalf of the ICANN Security Team

In recent weeks, numerous high profile organizations and financial institutions have been targets of massive service disruption attacks. Several of these attacks are characteristically similar to attacks against top level domain name servers in 2006. ICANN’s Security and Stability Advisory Committee published an Advisory, SAC008 [PDF, 963 KB]: Distributed Denial of Service (DDoS) Attacks, shortly after the 2006 incidents. Recommendations from that Advisory remain relevant today.

We encourage private organizations, service operators and governments to carefully consider the recommendations from SAC 008, which describe the best known means to mitigate DDoS attacks.

“the most effective means of mitigating the effects of… numerous DoS attacks is to adopt source IP address verification” – SAC008

DDoS attacks commonly use IP addresses that are not allocated to the subscriber or IP addresses from reserved/private space to make it difficult to identify sources of attack traffic. This is called IP address spoofing. Access service providers or corporations should apply network ingress filtering (described in SAC004 and recommended by the Internet IAB in BCP038) to prevent spoofing. Squelching attack traffic close to its origins has the added benefit of relieving ISPs from forwarding malicious or criminal traffic. Everyone benefits when every operator filters spoofed source addresses, except would be attackers.

“Document operational policies relating to countermeasures… to protect [your] name server infrastructures against attacks that threaten [your] ability to offer service, give notice when such measures are implemented, and identify the actions affected parties must take to have the measures terminated.” – SAC008

I recently wrote an article, Preparing for the (Inevitable) DDoS Attack, that describes how to develop policies and prepare a response should your organization come under attack.

“disable open recursion on name servers from external sources and only accept DNS queries from trusted sources to assist in reducing amplification vectors for DNS DDoS attacks – SAC008

When open recursion is enabled on a DNS server, that server will accept DNS queries from any client (any IP source address). Attackers exploit open recursive servers in DDoS attacks and amplification attacks. US-CERT Alert TA13-088A recommends that all DNS operators:

  • Disable recursion on authoritative name servers
  • Limit recursion to authorized clients, and
  • Rate limit responses of recursive name servers

Alert TA13-088A also identifies ways for every organization to test whether any of its name servers are open resolvers, and lists sources that describe how to do so for major operating system and name server software. (Note: TA13-088A does not have a resource for Microsoft DNS server, try here.)

The ICANN Security Team encourages you to help mitigate this increasing threat to security, stability, and resiliency.


    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."