DDoS attacks have been a persistent problem for the the better part of 20 years, and as ISPs and enterprises have adjusted their defenses, attackers have adapted their tactics. One of the more effective tools in the attackers’ arsenal now is the use of botnets to generate massive numbers of DNS queries for a target site, a technique that can be quite difficult to defend against.
CloudFlare, one of the larger DNS providers and a performance and security specialist, is introducing a new service called Virtual DNS that is designed to help protect against these new attacks and speed up organizations’ infrastructures. The service works by having organizations point their name servers to CloudFlare’s infrastructure, which provides security protection and acceleration. Companies don’t need to move their DNS records; those stay on the companies’ own name servers.
Matthew Prince, CEO and co-founder of CloudFlare, said in an interview that the volume and frequency of the recent DNS DDoS attacks has put traditional DDoS defenses such as filtering at a severe disadvantage.
“We’ve found that because DDoS mitigation is so cheap and easy, attackers have adjusted.”Tweet
“We see attacks with as much as two hundred or three hundred million DNS requests per second virtually every day,” he said. “We can do some creative filtering, but but if it’s a botnet with hundreds of thousands of nodes and they’re sending traffic through upstream DNS resolvers that are effectively laundering the traffic for them, it’s tough.
“With Virtual DNS, we act as a giant DNS proxy scattered around the world. That makes it significantly faster and also acts as protection for customers’ name servers.”
The way that Virtual DNS is set up allows it to stop attack traffic at the edge of CloudFlare’s network, so it never touches the customer’s name servers or network infrastructure. CloudFlare’s system has nearly four terabits of capacity, Prince said, and while that’s clearly an asset, it’s also forced attackers to change what they’re doing.
“We’ve found that because DDoS mitigation is so cheap and easy, attackers have adjusted,” he said. “This new level of sophistication is a challenge.”
Prince added that the new Virtual DNS service also can help speed the adoption of DNSSEC by allowing CloudFlare to sign the DNS records that it’s issuing.
“We have to secure this infrastructure more completely,” he said.