Getty Images/iStockphoto
DNS NXDOMAIN Flood DDoS Attacks Impacting Healthcare, HC3 Warns
HC3 warned the healthcare sector of DNS NXDOMAIN flood DDoS attacks, which are used by threat actors to overload DNS servers and slow down systems.
HHS warned the healthcare sector of ongoing DNS NXDOMAIN flood distributed denial-of-service (DDoS) attacks that could pose significant threats to security and system availability. HHS' cybersecurity arm, the Health Sector Cybersecurity Coordination Center (HC3), issued a detailed alert about the attacks and encouraged healthcare organizations to take action to mitigate risk.
In a DNS NXDOMAIN flood DDoS attack, threat actors seek to overload the Domain Name System (DNS) server with a large volume of requests, which can ultimately slow or prevent authorized users from accessing websites or services.
“In this type of DDoS, the DNS server will spend time trying to locate something that does not exist instead of processing the legitimate user request. As the volume of invalid requests increases, the authoritative server will begin slow down, preventing legitimate requests from getting a response,” HC3 stated.
“Additionally, legitimate clients trying to access the website will increase the load even further. In most cases, the DNS proxy server and the DNS authoritative server will use all their time handling those bad requests. When successful, the outcome of these attacks can result in higher utilization of resources on the server, and the cache will be filled up with NXDOMAIN replies.”
Detecting and blocking this type of attack is difficult since they are carried out by large botnets consisting of thousands of compromised devices in a variety of locations. This type of DDoS attack can negatively impact network providers, website owners, and end users as it renders key products and services inaccessible.
“During normal operations, receiving small amounts of NXDOMAIN responses is considered normal. They can result from several things, such as users mistyping web addresses or dead hyperlinks that reference servers which no longer exist,” HC3 noted.
“In most cases, these requests are typically redirected to authoritative nameservers, which are the DNS servers used to host the records of public services, so that users and clients across the Internet can locate them.”
However, in the case of this attack type, organizations may observe an exceptionally large amount of DNS queries for non-existent hostnames under legitimate domains. Additionally, the source IPs are widely distributed and could be spoofed, leading to additional confusion.
HC3 recommended that organizations take caution when blocking IPs, as this could result in legitimate users being prevented from accessing these websites and services. HC3 consulted a post by NETSCOUT to provide mitigation recommendations, including implementing DNS response rate limiting, ensuring that a cache refresh takes place, and applying rate limiting on traffic to overwhelmed servers.
As previously reported, HC3 recently raised concerns about pro-Russia hacktivist group KillNet, which has been executing DDoS attacks against healthcare organizations since its emergence in 2022.
NETSCOUT’s latest DDoS Threat Intelligence Report detailed the techniques of Killnet and other DDOS threat actors. In fact, the provider of performance management, cybersecurity, and DDoS protection solutions observed a tenfold increase in DDoS attack frequency since its first report in 2005.
DDoS attacks remain a significant threat to healthcare organizations worldwide, as they can be difficult to detect and impossible to mitigate with just one cybersecurity solution. Rather, healthcare organizations should prioritize implementing a variety of measures to mitigate DDoS attacks and remain aware of the latest cyber threat tactics used by threat actors.