Not all DNS traffic spikes are DDoS attacks.

You are a network administrator performing general tasks. Suddenly, you’re seeing a huge surge in inbound traffic to your website, application, or web service. It instantly switches resources to respond to changing patterns and reduces the load on overloaded servers through automated traffic steering. After the immediate danger has passed, the sergeant asks: What just happened?

Is that so? really DDoS attack?

In these situations, it’s tempting to sound a false alarm. Distributed Denial of Service (DDoS) attacks are becoming an increasingly common problem, with the number and scale of attacks increasing significantly every year. Many network administrators will say that if there is a noticeable increase in traffic, “it must be some kind of DDoS attack,” even if there is no direct evidence to support the claim.

Proving or disproving that a DDoS attack has occurred can be a challenge for network administrators and security teams alike.

Basically, if you use a prepackaged registrar Domain Name System (DNS) product, you have no access to DNS traffic data at all. Data if you use a premium DNS service I think I will Stay there. Most authoritative DNS providers have some kind of observability option. At the same time, getting it in the right format (raw logs, SIEM integrations, pre-built analytics) and at the right level of granularity can be problematic.

What actually causes DNS traffic spikes?

We analyze a lot of DNS traffic information using IBM® NS1 Connect® DNS Insights, an optional add-on to IBM NS1 Connect Managed DNS.

DNS Insights captures a wide range of data points directly from NS1 Connect’s global infrastructure and then presents them to customers through pre-built dashboards and targeted data feeds.

As we reviewed these data sets with our customers, we found that relatively few spikes in overall traffic or error-related responses such as NXDOMAIN, SERVFAIL, or REFUSED were associated with DDoS attack activity. Most traffic spikes are caused by misconfigurations. Typically, you will see an error code that occurs in about 2-5% of all DNS queries. However, in some extreme cases, more than 60% of a company’s traffic volume resulted in NXDOMAIN responses.

Here are some examples of what we’ve seen and heard from DNS Insights users:

“We are experiencing DDoS attacks on our equipment”

One company with over 90,000 remote workers had a very high NXDOMAIN response rate. This was a long-standing pattern, but it was shrouded in mystery because the network team lacked enough data to determine the root cause.

After examining the data collected by DNS Insights, it became clear that the NXDOMAIN responses were coming from the company’s own Active Directory zone. Geographic patterns of DNS queries provided further evidence that the company’s “follow the sun” operating model was replicated in NXDOMAIN response patterns.

Basically, this misconfiguration affected network performance and capacity. Upon closer inspection of the data, we also discovered more serious security issues. This means that Active Directory records were being exposed to the Internet through dynamic DNS update attempts. DNS Insights provided the missing links network teams needed to fix these items and close critical holes in their network defenses.

“I’ve wanted to investigate these theories for years.”

One company that had acquired multiple domains and web properties over the years through M&A activity regularly saw noticeable increases in NXDOMAIN traffic. They assumed this was a dictionary attack on a moribund domain, but with the limited data they had access to, they could neither confirm nor deny whether this was the case.

With DNS Insights, the company finally lifted the curtain on the DNS traffic patterns that led to such anomalous results. They discovered that some of the redirects they had set up for purchased web properties were not configured correctly, misdirecting traffic and exposing some internal zone information.

By examining the sources of NXDOMAIN traffic in DNS Insights, the company was also able to identify Columbia University’s computer science courses as a source of increased traffic to some of its legacy domains. What could appear to be a DDoS attack was a group of students and professors investigating a domain as part of standard practice.

“Which IP caused such a high QPS record?”

One company was experiencing periodic spikes in query traffic but could not identify the root cause. They assumed it was some kind of DDoS attack, but had no data to support their theory.

Data from DNS Insights reveals that internal domains, not external actors, are responsible for the spike in query volume. Due to a misconfiguration, internal users were routed to a domain for external customers.

Using the data captured in DNS Insights, the team was able to rule out a DDoS attack as the cause and fix internal routing issues to resolve the actual problem.

DNS data identifies root cause.

In all of these cases, the increase in query traffic that network teams initially attributed to DDoS attacks turned out to be misconfigurations or internal routing errors. Only after digging deeper into DNS data was the network team able to pinpoint the root cause of complex traffic patterns and unusual activity.

At NS1, we’ve always known that DNS is a critical lever to help network teams improve performance, add resiliency and lower operational costs. The granular, detailed data provided by DNS Insights is an invaluable guide to connecting the dots between traffic patterns and root causes. Many companies provide raw DNS logs, but NS1 goes one step further. DNS Insights processes and analyzes data to reduce the effort and time required to troubleshoot network issues.

Learn more about the information contained in DNS Insights.