PowerDNS Platform Automated Denial of Service Protection

DNS is a cornerstone of any internet service, be it hosting domains or being an access provider. A successful denial of service attack on a DNS server platform leads to an immediate slowdown or even break down of user experience.

The PowerDNS Platform contains functionality that will flag malicious traffic every second and instigates automatic blocks on either the source or the subject (domain) of the question.

Key benefits of such automated blocking are:

• Improved performance when under light attack
• Ability to sustain good service when under heavier attacks
• More rapid return to providing service when filtering largest scale attacks

Classes of attacks

Internal

As an access provider, attacks can originate from your own customer base. Such attacks are frequently not in the gigabit range, but often are CPU intensive. It is not the volume of the traffic but the nature of the questions that cause problems. Subscriber originated traffic is then used to make the DNS protocol 'amplify' the attack traffic, which is exquisitely harmful for remote parties under attack.

Since these attacks are not of the 'volumetric' kind, filtering needs to be highly DNS aware, it is not simply a matter of blocking individual sources of large amounts of traffic.

The PowerDNS Platform delivers such smart filtering, and nearly immediately latches on to customers sending abusive traffic.

Internal attacks can typically be filtered entirely by the PowerDNS Platform.

External

When providing authoritative service, servers are exposed to the outside world. This means attacks are frequent and can't easily be traced back to individual subscribers. In contrast to internal attacks, attacks with outside origin frequently come in at over 100Gbit/s. This means that large scale scrubbing services are required to pare down attacks to reasonable levels.

The remainder of the attack can then be processed by the PowerDNS Platform. The effect of this is that service is restored once the attack is 'mostly' filtered, whereas without the Platform, scrubbing needs to be almost perfect before things work again.

Technologies employed

The PowerDNS Platform analyzes attacks based on statistics derived from ringbuffers. Calculated every second, these statistics enable the platform to provision dynamic blocks for certain sources and specific domain names.

In addition, when domains are attacked randomly, our algorithms derive the commonality in the attack traffic that is resulting in remote overload, and creates a generic rule that matches the common attack pattern.

Once a rule is created, it is translated into eBPF and transferred to the Linux kernel. This means that blocking happens before a packet traverses the IP stack, and does not incur any transitions to/from software. The eBPF rules do however keep statistics so that the PowerDNS Platform can keep track of the effectiveness of its blocking rules.

Summarizing

The PowerDNS Platform analyzes DNS traffic and identifies harmful components and filters them. In many cases this suffices to completely neutralize attacks. When traffic exceeds the local network capacity ('100Gbit/s attacks'), specialized scrubbing sources are required to perform filtering upstream. Key benefit of the PowerDNS Platform is that normal service can be restored even when upstream filtering is not yet perfect and attack traffic still leaks through.