Cybersecurity blog header

DNS Water Torture: how not to drown in this tsunami of requests

DNS Water Torture attack aims to saturate server capacities

Through DNS Water Torture, attackers send an avalanche of requests to saturate the capacities of DNS servers and cause a denial of service

Companies are the main target of many cybercriminals. And in many cases, DNS servers are the yellow circle at which they aim their arrows. Thus, through denial-of-service attacks such as DNS Water Torture, attackers try to deny DNS service and prevent access to web services, among others.

DDoS attacks attempt to disrupt the activity of websites and organisations’ systems by launching vast volumes of requests. Also known as distributed denial-of-service attacks, they seek to saturate server capacities, causing a collapse and impacting the experience of legitimate users.

Attacks of this nature have taken place more than two decades ago. Let’s remember that Canadian teenager under the pseudonym mafiaboy who put some of the most important companies of the time in check. And since then, their frequency and intensity have continued to increase. The most significant DDoS attack in history occurred just a couple of months ago when Cloudflare faced more than 70 million malicious requests per second.

However, these offensives are not only targeting private firms. Any institution with Internet exposure can become a target for attackers, who proceed to launch attacks by coordinating their botnets.

In just one week, the websites of the Royal House, the Ministry of Justice, the Ministry of Territorial Protection, CERES, Navantia, Renfe, IEEE and the Madrid Court of Arbitration were attacked. And these represent only a tiny percentage of the total number of entities targeted by the attackers. For this reason, reinforcing the walls of protection against attacks such as DNS Water Torture is a priority task in the digital age.

1. Understanding the domain name system

There is no single class of distributed denial-of-service attacks; several categories can be distinguished. Among them are domain name system offensives, which aim to crash the DNS resolution of the victim’s domain.

Known as the Domain Name System, this Internet protocol performs the functions of a telephone directory. But to understand how it works, it is essential to understand how Internet users and browsers access websites.

The latter use IP addresses, a unique combination of numbers separated by dots that identify the layer 3 address of a network interface. However, people’s memory is limited, and it would not be operational to remember the IP of each website, for example. This is why users simply type the domain name (such as into their browsers since it is easier to memorise the addresses.

The DNS protocol then comes into play. It is in charge of translating both worlds, identifying the IP address of the domain typed by the Internet user. This system plays an essential role: without it, communications in online environments would be more complex.

Each Internet service provider usually makes its own DNS servers available to its customers. Thus, when a person makes a request from their home, he is really asking the DNS provided by his provider if it knows the IP address of the domain he wants to access, the one he has typed in. And this server may or may not know it directly.

If it does, it transmits the answer to the user, who can establish a connection to the website. But what happens if it does not know it? Then, that request begins to climb recursively through a hierarchy of DNS servers, looking for one that can answer it. Ultimately, the request will go up to the authoritative DNS of the domain: the DNS server that manages the names of the domain to be resolved and on which the web page to be accessed is included.

It should be noted that once the authoritative DNS has replied with the answer to the request, the answer follows the reverse path carried out by the request until it returns to the Internet user who initiated the query and establishes the connection.

2. The lifetime of a DNS record

But why do some of the intermediate DNS servers have the answer and others do not? The key lies in Time To Live (TTL) for a given DNS record.

DNS services maintain a series of records where protocol-related information, such as DNS responses to previous requests, is stored. This approach is highly effective in speeding up future resolutions since if a user makes a new request that has already been answered in the past, the DNS server will be able to reply directly without the need to escalate the request back to the authoritative DNS server. By storing the response in its records, it will be able to respond to you instantly, reducing the workload on the rest of the infrastructure.

But these records are not infinite and consume memory and processing time. All the information stored in these logs has an expiration date, popularly known as Time To Live. This indicator expresses how long a resolution will be valid without the need to escalate it again to other DNS servers.

Suppose, for example, a DNS server enjoys a TTL of two hours. The first time a person makes a resolution request for the domain, the provider’s server will have to fall back to the authoritative server. However, this is no longer necessary for all other requests over the next two hours, which it can resolve autonomously. After this period has elapsed, the authoritative server will have to be called upon again, restarting the countdown.

At first glance, this protocol is not very dangerous. But no area is risk-free. Cybercriminals lurk in every nook and cranny, looking for any vulnerability, no matter how small. Ultimately, if they manage to exploit it, it can become a gateway into organisations.

For this reason, companies looking to strengthen their infrastructure should not underestimate attacks such as DNS Water Torture. In such an ever-changing environment, it is vital to stay abreast of new criminal techniques, designing effective prevention and response measures to neutralise these attempts.

DNS Water Torture attack can affect all kinds of organizations

3. DNS Water Torture

Many malicious users use DNS servers as an attack vector to threaten companies and disrupt their communications: a goal they achieve through extremely damaging DDoS attacks, as in the case of DNS Water Torture.

The choice of name is not accidental. Water torture consisted of pouring drops of cold water on a person’s head or forehead for a very long period. These drops fell irregularly so that the victim tried to anticipate when the next one would hit, unable to fall asleep. And this impacted their mental stability, leading them to the point of bordering on insanity.

Today, this method of torture has leapt into the digital sphere. DNS Water Torture ultimately destabilises critical servers in any DNS hierarchy: the authoritative ones. How?

Instead of water drops, random subdomains are used. Cybercriminals write non-existent domains, including up to 16 characters, before the actual domain (such as Logically, the provider’s DNS server cannot find the IP address in question, so it makes a recursive request and asks the other servers for help.

Since it does not exist, none of them will know the answer to the DNS request. Consequently, the request escalates until it reaches the authoritative server. With this technique, attackers can easily ensure that all malicious traffic will reach its destination, i.e. the authoritative server of the victim’s domain.

If a botnet is used, the total number of malicious requests will multiply, and the increase in fake traffic could increase CPU and memory consumption. If the infrastructure cannot cope with the DNS Water Torture load, the attack will thrive, and the servers will go down, leading to a denial of service situation.

And this is where the problems begin for the organisation because the rest of the DNS servers will be unable to complete domain resolutions without the corresponding authoritative server.

However, the effects of the attack will not be immediately apparent. Why? As we have seen above, all servers have a Time To Life.

If the cache memory of the computers resists for three hours, it will still be some time before the first user cannot access the website. But if, after that time, the DNS Water Torture attack persists, the website will be cut off since no server will find the IP corresponding to the domain. And no user can resolve the domain to connect and access the page.

In short, every domain has a trivially identifiable authoritative server. With relatively little effort, they can make it at their mercy, blinding it and causing severe damage to the resources that share that domain.

4. DNS Reflection

Remember that DNS Water Torture is not the only way to provoke a DoS situation by abusing DNS protocols. Many malicious users use, for example, reflective techniques to attack specific computers instead of domains.

In these cases, and if the attacker’s Internet provider allows it, the attackers spoof their victim’s IP, impersonating the victim’s identity to the DNS servers. They then forward large volumes of DNS resolution requests. Unlike DNS Water Torture, however, the requests no longer need to be random.

Since the cybercriminal has spoofed his source IP, he does not receive these responses. The path has a new destination: the spoofed IP address. The DNS servers are unaware of the deception and send these communications to the spoofed computer, believing that it was the computer that sent them at the origin. As the name suggests, this attack works as a mirror, reflecting the requests.

In this way, a flood of DNS responses is transmitted, eventually saturating the victim’s computer’s capacity and putting it out of action. However, this method is more complex, as it requires the attacker to spoof an IP for the servers to forward traffic to the chosen target.

At the same time, the DNS server network acts as an intermediary, hiding the attacker’s position and confusing the victim, who is unaware of the source of the flood.

5. DNS Amplification

In addition to DNS Water Torture and DNS Reflection, cyber criminals use a third attack to launch this type of DDoS attack by abusing the DNS protocol. And that is DNS Amplification.

The above system is based on proportionality. The number of requests sent by the attacker is equivalent to the number of requests that assault the victim. Consequently, to destabilise computers, a vast number of requests must be sent. Otherwise, there is a good chance that they will be able to withstand the additional load of the offensives.

But DNS Amplification makes it even easier for attackers. This technique is based on exploiting the asymmetry between the traffic volume of a request and its response. If the total traffic sent by the attacker is significantly lower than the traffic sent to the victim by the DNS server, the chances of generating a DoS situation are much higher.

This means that the attackers need fewer resources to achieve their goals.

DNS servers are the target of attackers carrying out the DNS Water Torture attack

6. Which organisations are affected by these attacks?

The myth that attackers only target large multinationals is quite widespread. And this belief can take its toll. While it is true that the most scandalous cases are those affecting larger firms with millions of customers, this difference in impact does not mean that small and medium-sized companies are spared from cybercrime.

Quite the contrary. These companies do not have such ambitious cybersecurity budgets, so the consequences of attacks like DNS Water Torture can be even more devastating.

E-commerce is a telling example of the damage caused by these dangers. Online stores are the most significant business channel for many companies. If they succumb to these threats and their service is interrupted, the economic blow from this stoppage would destabilise their financial health.

This situation is especially critical during Black Friday and other sales periods, and these are dates when e-retailers experience peaks in traffic and sales. For this reason, it is crucial to strengthen your website to prevent possible falls and make the most of this type of sales opportunities.

Publicly traded companies are another primary target of attacks such as DNS Water Torture. These firms hold shareholder meetings annually, and investors visit their websites to check available information. In addition, many companies are required by law to file their results publicly, and if they fail to do so on time, they could face penalties.

Organisations working in more sensitive activities, such as online banks, must also guard against these threats, regardless of their size or sector. And what about the attacker’s motive? The attacker’s motives can vary: he may do it to blackmail the company and earn money for personal or commercial reasons…

7. How to fight against DNS Water Torture?

What is the most effective way to avoid becoming a victim of a denial of service? Prevention. And this starts when deciding on the system architecture.

While some companies opt for on-premise servers, others rent equipment and delegate management to cloud providers. At the same time, the most cautious companies do not simply hire a single piece of equipment but have multiple servers. Thus, if one fails, the service will not be down, and they will enjoy a precious level of redundancy to facilitate their business continuity.

The ability to scale is another advantage of relying on cloud providers. At the slightest sign of an attack, these companies offer the possibility of increasing the number of computers dedicated to handling requests, distributing workloads efficiently and preventing machine saturation.

This infinity of servers is an effective defence barrier to resist large-scale attacks such as DNS Water Torture. And even if one computer goes down temporarily, another will be available to take over its functions and prevent the failure from impacting the user experience.

This is all the more difficult when the company is in charge of managing the servers. On-premise systems are not as scalable and are more likely to buckle under the flood of requests. This is especially true for small or medium-sized companies that do not have a robust infrastructure and do not have a large budget for these issues.

However, to reinforce the organisation’s firewall, it is essential to consider all fronts. This a critical task when it comes to businesses working with sensitive information or relying on digital sales channels. And alliance with cybersecurity experts such as Tarlogic is critical to try to keep attackers away by simulating attacks in controlled environments through DoS tests.

In short, the large providers are the ones that are best prepared to support high traffic volumes thanks to the scalability of their infrastructure, which has proven its effectiveness in all types of attacks. And customers who incorporate this service will gain access to a precious shield that will help them combat the blows of cyber criminals.