In addition to the ongoing targeting by Killnet, healthcare entities are facing another DDoS campaign flooding targeted networks and servers with fake DNS requests for non-existent domains, or NXDOMAINs.
The latest Department of Health and Human Services Cybersecurity Coordination Center alert warns the onslaught of DNS NXDOMAIN DDoS attacks is designed to overload targeted servers with large volumes of invalid requests.
As a result, the targeted DNS server directs its efforts attempting to locate the non-existent domain instead of processing legitimate user requests, slowing down the server and preventing it from responding to those legitimate requests.
The greater the volume of invalid requests, the slower the server speeds. The impact is further broadened by legitimate clients working to access the site, as they add to the load size. According to the alert, “In most cases, the DNS proxy server and the DNS authoritative server will use all their time handling those bad requests.”
What’s more, it’s difficult to detect and block this type of campaign, as the attack is deployed by botnets comprised of thousands of compromised devices, much like the ongoing DDoS campaigns.
Successful attacks cause a higher utilization of resources and a cache filled with NXDOMAIN replies, which can “ultimately slow or completely prevent an authorized user from gaining access to a website or services.”
These NXDOMAIN DDoS attacks could bear negative consequences for end users, network providers, and website owners, HC3 warned. Websites and other service providers are the typical target of these attacks and designed to make their service inaccessible to legitimate customers.
Receiving small amounts of NXDOMAIN responses is considered normal during business hours, as users can mistype web addresses or leverage “dead hyperlinks” to nonexistent servers. But these are typically redirected to the proper server.
"A DNS NXDOMAIN flood DDoS attack is dangerous because it can be difficult to detect. Many DNS server administrators misidentify the slowdown as a performance problem when in actuality it is a NXDOMAIN attack on their DNS server," according to NETSCOUT researchers.
To detect malicious NXDOMAIN attacks, HC3 warned that network defenders should look out for large volumes of DNS queries for non-existent hostnames under legitimate domains.
The alert contains a list of all attack techniques, including widely distributed IPs, possibly spoofed source IPS, and traffic made up of UDP packets encapsulated in IPv4 and IPv6. Network defenders are urged to be cautious when blocking IPs, as it could inadvertently block legitimate users from accessing their public services.
NETSCOUT recommends several key mitigation measures to reduce the impact, which are contained in the threat analysis. Entities should consider implementing DNS Response Rate Limiting, adding rate limiting for traffic on overwhelmed servers, and blackhole routing or filtering of suspected domains and servers.
As noted, the NXDOMAIN DDoS campaign joins the ongoing targeting of healthcare by Killnet hacktivists. Over 90 of these attacks struck provider entities in January. While the rate of these attacks has slowed in the last month, entities were previously warned to bolster employee education on their online presence, given the high risk to digital identities posed by the threat.
