Coronavirus (COVID-19) Information Read here

New Farsight Security Research Uncovers DDoS Events, Rise in DNS Network Traffic

New study examines DNS cache miss traffic volume for over 300 Top Travel and Transportation, Retail, Higher Education, News, and Streaming Video Domain Names during COVID-19 pandemic; individual “Volume-over-Time” graphs for each site are included in the report

San Mateo, California, May 27th, 2020, Farsight Security®, Inc., a leading cybersecurity provider of DNS Intelligence, today introduced new research entitled, “DNS Network Traffic Volumes During the 2020 Pandemic.” This report examines DNS cache miss traffic levels during the COVID-19 pandemic, over a two-month period (March 2020-April 2020), with a focus on over 300 domains for leading travel and transportation, retail, streaming video, higher education and news and partisan opinion sites.

"Different people use the Internet differently. When the headlines are all about some new mass shooting or as in this case a virus pandemic, most of the DNS traffic related to those headlines will be due to fraudulent or criminal activity by those hoping to cash in on the public's attention. Therefore, it is worth our time to study DNS traffic patterns during every global event, to characterize current abuses of the system and to predict future abuses," said Dr. Paul Vixie, Chairman, CEO and Cofounder of Farsight Security, Inc.

The research found a measurable increase in DNS cache miss traffic levels as well as a number of DDoS events involving popular brand names. While worldwide shelter-in-place orders and other activities taken during the pandemic may have played a role in these report results, this report does not try to "attribute" or "apportion" the change in traffic levels. Instead, it simply reports what Farsight sees as a macroscopic phenomenon.

Among the report highlights:

  • DNS cache miss traffic volumes have risen during the COVID-19 pandemic across select industries, with a "step up" pattern typically reflecting a 4x-to-7x increase.
  • While most of the studied sites exhibited this “step up” traffic pattern, there was variation among the studied sites in terms of magnitude and timing, and higher education sites. tends to exhibit an increase, but that increase would then subsequently drop, producing a hill rather than a plateau.
  • Some sites experienced "spikes" in volume – Farsight believes those spikes represent denial of service (DDoS) attack traffic reflexively targeting unrelated third-party sites.
  • At least two distinct reflective DDoS attack patterns took place among the studied sites:

    • One pattern type that appears to be purely associated with abusive DNS SOA ("Start of Authority") queries
    • A second pattern type that melds abusive DNS SOA queries with abusive DNS TXT queries for wildcarded SPF redirect records

To reduce the risk of DDoS events, Farsight recommends that nameserver vendors ship their products with Response Rate Limiting (RRL) enabled by default. Farsight also recommends that all authoritative name server operators confirm that their current configurations have RRL enabled. To learn more, visit "A Quick Introduction to Response Rate Limiting,"

The full report can be downloaded here.

Methodology

Farsight DNSDB catalogs and indexes the unique relationships present in DNS resource records. For this report, Farsight looked at daily DNS transactions for over 300 sites, and produced graphs showing the volume for each day during March/April 2020. When reviewing traffic for these sites, Farsight looked at the DNS cache miss traffic for all hostnames under a given delegation point (e.g., *.example.com, not, for example, just a specific hostname such as www.example.com). We also looked at all resource record types (excluding only DNSSEC-related record types), including IPv4 "A" records, IPv6 "AAAA" records, CNAMEs, NS records, MX records, TXT records, SOA records, etc.

Because Farsight observes data above the recursive resolver, we only see cache miss traffic. Cache miss traffic are requests for domain names that aren’t already in the local recursive cache. The volume of cache miss traffic is largely based on a domain’s popularity.

About Farsight Security, Inc.

Farsight Security, Inc. is the world’s largest provider of historical and real-time passive DNS data. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security passive DNS solutions at https://www.farsightsecurity.com/ or follow us on Twitter: @FarsightSecInc.