The DNS Water Torture Attack
HTML-код
- Опубликовано: 8 сен 2024
- A Domain Name System (DNS) Water Torture attack involves attackers sending non-existent subdomain requests to an Authoritative Name Server for a specific domain. These malicious requests consume the resources on the name server (and also on intermediate DNS resolvers) and significantly slow down the responses for legitimate requests. Ultimately, users are not able to access your web application, and then everyone has a bad day. Not good. Check out this video to learn more about this attack and how F5 can help keep your web applications safe!
community.f5.c...
.
Thank god for F5! What would we do without them!?
Beyond the name of this attack, i like the pen, the glass board & the way John Wagnon draw on it ( and from right to left...except if it is a mirror image with a mirror DevCentral logo on the Polo...is it ? :) ).
It is ! They made specific tshirts for these videos :)
Awesome explanation John . Can we have a best practice recommendations to configure it on afm . Any guides with guidelines are appreciated
Does the AFM have a cache that itself could be flooded to bring it down? Or does it just discard all of these fake requests no further question?
great explanation btw. thanks..
glad you enjoyed it!
Good explanation
glad you enjoyed it!
very clear, one Q. F5 will take the hits for the DNS server, Won't this also utilize the box.
great question! This is why the AFM (Advanced Firewall Manager) can learn the subdomains of your web application and block the attack before it consumes all the resources when requesting illegitimate subdomains.
Bind9 is not installed ubuntu apache is a web server, if cloudflare is using proxy ips, ip server ip addresses are hidden, in which case will the server be exposed to dns attacks?
Need to know our attacker web server ip address attacking the DNS?
Hi there...if I understand the question correctly, you are asking if the attacker needs to know the IP address of your web server in order to attack using DNS Water Torture. This attack specifically targets the authoritative name server that would respond with the proper DNS information for your web server. So, the attack is not directly against the web server. Rather, it's against the name server that tells the Internet how to get to your web server. The idea is that, if the attacker can consume the resources of the authoritative name server for your website, then the name server can't respond to legitimate requests for your web server. Then, users won't be able to access your web server because they weren't given the proper DNS information (IP address) for how to access it. Hope this helps!
Can we deploy a filter in client side or middle to mitigate these kinds of attack...
Hi Abhay, great question! A filter for the client side wouldn't work for this because there's no way to reach out and configure every possible client that might attack you in this situation. Specifically for the Mirai botnet, many of the clients would be things like a DVR, wireless camera, etc. These are many of the "Internet of Things (IoT)" devices that have been taken over by the Mirai botnet. So, while these internet-connected devices can send DNS requests on behalf of the botnet, it would be basically impossible to reach out and try to put a filter on each of them. This is why it's important to implement a firewall (like the BIG-IP AFM) to filter out these malicious requests. I hope this helps!