Dark DDoS: hacker tools and techniques – the challenges faced

Hackers can have many different possible objectives. For instance, they may aim to interrupt business, corrupt data, steal information – or even all of these at the same time.

To reach their goals, they continuously look for any vulnerability – and will use any vulnerability – to attack. They’re getting increasingly smarter and always looking for more, faster and easier ways to strike.

Furthermore, their attacks are no longer designed simply to deny service but to deny security. The initial service denial attack is often used as a camouflage to mask further – and potentially more sinister – activities.

These include data theft, network infiltration, data exfiltration, networks being mapped for vulnerabilities, and a whole host of other potential risks.

>See also: DDoS attacks: why size isn’t everything

These types of attacks are often referred to as ‘Dark DDoS’ because of initial smokescreen attack which acts to distract organisations from the real breach that’s taking place.

In a large proportion of recent data breaches, DDoS (distributed denial of service attacks) have been occurring simultaneously – as a component of a wider strategy – meaning hackers are utilising this technique in a significant way.

According to a report by SurfWatch Labs, DDoS attacks rose 162% in 2016. SurfWatch Labs claims this is due to the increasing use of IoT devices and the attacks on the KrebsOnSecurity.com and on domain name provider, Dyn – believed to be some of the biggest DDoS attacks ever recorded.

Last year, France was also hit by one of the largest DDoS attacks when hosting company, OVH, was targeted through 174,000 connected cameras.

Today’s hackers have developed a high variety of DNS attacks that fall into three main categories:

Volumetric DoS attacks

An attempt to overwhelm the DNS server by flooding it with a very high number of requests from one or multiple sources, leading to degradation or unavailability of the service.

Stealth/slow drip DoS attacks

Low-volume of specific DNS requests causing capacity exhaustion of outgoing query processing, leading to degradation or unavailability of the service.


Attacks exploiting bugs and/or flaws in DNS services, protocol or on operating systems running DNS services.

Often DNS threats are geared towards a specific DNS function (cache, recursive & authoritative), with precise damage objectives.

>See also: How to improve your DDoS defence

This aspect must be integrated into the DNS security strategy to develop an in-depth defence solution, ensuring comprehensive attack protection.

The list below of the most common attacks aims to emphasise the diversity of the threats and details the extent of the attack surfaces:

Volumetric attacks

Direct DNS attacks

Flooding of DNS servers with direct requests, causing saturation of cache, recursion or authoritative functions. This attack is usually sent from a spoofed IP address.

DNS amplification

DNS requests generating an amplified response to overwhelm the victim’s servers with very large traffic.

DNS reflection

Attacks using numerous distributed open resolver servers on the Internet to flood victim’s authoritative servers (usually combined with amplification attacks).


Flooding of the DNS servers with non-existing domains requests, implying recursive function saturation.

Stealth/slow drip DoS attacks

Sloth domain attacks

Attacks using queries sent to hacker’s authoritative domain that very slowly answers requests – just before the time out, to cause victim’s recursive server capacity exhaustion.

Phantom domain attack

Attacks targeting DNS resolvers by sending them sub-domains for which the domain server is unreachable, causing saturation of cache server capacity.

Random subdomain attack (RQName)

Attacks using random query name, causing saturation of victim’s authoritative domain and recursive server capacity.


Zero-Day vulnerability

Zero-day attacks take advantage of DNS security holes for which no solution is currently available.

DNS-based exploits

Attacks exploiting bugs and/or flaws in DNS services, protocol or on operating systems running DNS services.

DNS tunnelling

The DNS protocol is used to encapsulate data in order to remotely control malware or/and the exfiltration of data.

Protocol anomalies

DNS Attacks based on malformed queries, intending to crash the service.

DNS cache poisoning

Attacks introducing data into a DNS resolver’s cache, causing the name server to return an incorrect IP address and diverting traffic to the attacker’s computer.

The DNS landscape security is continuously moving and DNS attacks are becoming more and more sophisticated, combining multiple attack vectors at the same time.

>See also: Major sites shut down by DDoS attack after taking over smart devices

Today’s DDoS attacks are almost unrecognisable from the simple volumetric attacks that gave the technique its name. In 2017, they have the power to wreak significant damage – as all those affected by the Dyn breach last year will testify – they are far more sophisticated, deceptive and frequent.

To keep ahead of these threats, today’s security solutions must continuously protect against a family of attacks rather than a limited list of predefined attacks that must be frequently updated or tuned.


Sourced by Hervé Dhélin, worldwide marketing director, EfficientIP

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

DDoS Attack