CloudFlare’s new Virtual DNS service lets web hosts, registrars and enterprises protect themselves from an emerging type of Distributed Denial of Service attack that targets the application layer without having to change their nameservers.
Launched last week, the new service lets an organization point their nameservers to a CloudFlare IP address that lets requests pass through CloudFlare’s infrastructure first. If there’s a high volume of requests – even hundreds of millions of requests per second, CloudFlare takes the brunt of that attack and stops it from affecting the host infrastructure.
Combatting a New Type of DDoS Attack
Paying attention to DNS is becoming crucial, as it is becoming a key breaking point for many businesses and web hosts.
The traditional DDoS attack sends bad traffic that saturates ports at network layer 3 or layer 4, which essentially fills the pipes of the Internet, blocking legitimate traffic and causing site disruptions. According to CloudFlare co-founder and CEO Matthew Prince, there has been a troubling trend over the past 18 months: “extremely high volume DNS attacks that were instead of sending garbage traffic, sending legitimate DNS requests.”
These new DDoS attacks are particularly pernicious because filtering or scrubbing garbage traffic at the edge no longer works because they involve DNS queries that are completely valid. To make matters worse, the largest attacks can involve be more than 200 million DNS site requests per second. “The only way to respond to stay on top of them is to be able to respond to DNS requests as fast as the attacker can generate those requests,” Prince said.
Around a year ago, he said, registrars and web hosts such as Digital Ocean started reaching out to CloudFlare to look for a solution.
“The challenge of this was that there were very few providers in the hosting industry and the registrar industry with the infrastructure to be able to keep up with hundreds of millions of DNS requests per second, which takes a whole server farm of machines to deal with it, ideally distributed around the world.”
With nearly 4 Tb of total capacity, CloudFlare has the capacity for being able to deal with vast amounts DNS traffic. And this has been previously available through CloudFlare as a hosted DNS service, but hosted DNS wasn’t always an ideal solution for large-scale web hosts.
Retrofitting DDoS Protection
Many new web hosts opt to use hosted DNS from the outset. But many existing web hosts that follow a legacy model would often rather keep their nameservers.
For instance, a web host might have a tight cPanel integration with their DNS provider so that when a customer makes a change, it’s pushed out to their existing DNS servers. Using a hosted DNS service can add a layer of complexity, and require the host to setup API calls to the DNS host when a user makes a DNS change request through their cPanel account.
“That coordination of changing that DNS and the application logic and then getting all of the legacy records updated is a lot of moving parts that can create a lot of problems. And so what we tried to do is create a solution where you don’t have to make any change to your cPanel configuration or whatever application you’re using. All you have to do is make one change where you make CloudFlare sit in front of it, and it essentially acts as a virtual shield,” Prince said.
Additionally, the web host gets to keep the control of their nameservers, meaning that they’re not locked into any hosted DNS provider. If they terminate their service, they can quickly go back to their existing DNS infrastructure.
While Prince notes that the Virtual DNS service was mainly designed with web hosts in mind, a few enterprises were also very interested, given the difficulty for them to switch away from their legacy DNS systems.
“We’ve been somewhat surprised that there are also a lot of large enterprise customers that we work with that said ‘We want to keep our legacy DNS infrastructure, but we want to make sure that it’s as fast and resilient as possible.’”
Virtual DNS provides a good balance of simplicity, speed and security without forcing them to adapt to a hosted DNS system or build their own globally resilient network with capacity to match bigger and bigger DDoS attacks.