ddos, dns and geolocation

fyi: managed dns services - edgedirector.com

DDOS, or distributed denial of service attacks can be mitigated using dns. This is because under most attack scenarios, the attacking machines find the host using dns.

Using dns to null route is similar in concept to null route injection at the router level. The goal is to make the host disappear from the internet for the duration of the attack. This is done to spare the server from the work of handling the attacking network packets. In dns, this is done by not returning an answer, or returning an answer that is local to each attacking machine,

Of course, by hiding the server from the network, it is effectively offline. While the bandwidth cost is avoided, the ddos will still have the desired effect in that the site is unavailable.

However, if it can be determined that the attack is specific to a geographical region, then geolocation aware dns can be applied effectively. This type of dns service can selectively answer queries based upon the geographic origin of individual queries. The edgedirector dns service can be configured to either not answer a query from the identified region, or to answer with a harmless address such as localhost. While this sounds simple, under no circumstances should a dns administrator try to do this without specific technical guidance from edgedirector support.

Where a ddos problem is not region specific, geolocation aware dns can still be of benefit. One of the sad facts of life is that the inbound network must be capable of supporting the network traffic involved in a ddos attack. As each physical location has finite network resources, there is a limit to the amount of inbound traffic that the network can sustain. With directional dns, the victim site can be spread over many networks. This has the effect of increasing the amount of bandwidth that is available to absorb a ddos event. Spreading the traffic does not decrease costs, instead it is employed to increase resilience in the face of the ddos attack.

A more advanced technique for longer term problems is to redirect traffic to a secondary site which acts as a gateway to the real site. The secondary site is configured to ensure that any forwarding link can only be followed by humans, and that the forwarding mechanism is resistant to automated responses. You can be sure that a determined attacker will try to create a workaround. Thus, the forwarding site must be specifically engineered to all known automated navigation techniques.

In closing, the reader is reminded that geographic dns can be effective in ddos mitigation, but it is only one tool of many to be applied to the task.