On April 7, the Health Sector Cybersecurity Coordination Center (HC3) published a sector alert for the healthcare and public health sector regarding DNS NXDOMAIN attacks. A DNS NXDOMAIN flood DDoS attack is one of the assorted denial-of-service (DDoS) attacks that will target the domain name server (DNS).
The sector alert explains that through “a trust third party” HC3 received information regarding a DDoS attack that has been tracked since November of 2022. The attacks flood targeted networks and servers with a fake DNS request for non-existent domains (NXDOMAINs).
“The threat actor wants to overload the DNS server with a large volume of requests, which can be either non-existent or invalid,” the alert adds. “In this type of DDoS, the DNS server will spend time trying to locate something that does not exist instead of processing the legitimate user request. As the volume of invalid requests increases, the authoritative server will begin slow down, preventing legitimate requests from getting a response. Additionally, legitimate clients trying to access the website will increase the load even further. In most cases, the DNS proxy server and the DNS authoritative server will use all their time handling those bad requests. When successful, the outcome of these attacks can result in higher utilization of resources on the server, and the cache will be filled up with NXDOMAIN replies. This can ultimately slow or completely prevent an authorized user from gaining access to a website or services. Like other DDoS attacks, these are also carried out by large botnets, which can consist of thousands of compromised devices located worldwide, making detecting and blocking this type of DNS attack difficult. As a result, NXDOMAIN DDoS attacks could negatively impact network providers, website owners, and end users or customers.”
If network providers can’t control or mitigate the attack, one of the possible consequences is customers not being able to access the organization’s websites and services. Website owners are also affected by having their service inaccessible to legitimate customers. And users and customers are affected by not being able to access products or services on the website under attack.
The alert notes that receiving small amounts of NXDOMAIN responses during normal operations is considered typical—users mistyping web addresses or dead hyperlinks that reference services that no longer exist.
The alert states that “The current identified TTPs for this campaign consist of:
- A large amount of DNS queries for non-existent hostnames under legitimate domains
- The traffic consists of UDP packets encapsulated in IPv4 and IPv6
- The DNS servers respond with an NXDOMAIN error
- The source IPs are widely distributed
- The source IPs could be spoofed”
Further, "HC3 encourages organizations to remain cautious when blocking IPs, because this could result in
legitimate users being prevented from accessing public services. According to NETSCOUT, there are
several mitigations available for DNS NXDOMAIN Flood DDoS Attacks:
- Blackhole routing/filtering suspected domains and servers
- Implement DNS Response Rate Limiting
- Block requests from the client’s IP address for a configurable period of time
- Be sure that cache refresh takes place, ensuring continuous service
- Lower the timeout for recursive name lookup to free up resources in the DNS resolver
- Increase the time-to-live (TTL) on existing records
- Apply rate limiting on traffic to overwhelmed servers”
