A new type of denial-of-service attack is gaining popularity which employs an alarming new tactic. Instead of armies of bots directly inundating a victim's server with a multitude of queries, this new attack instead sends queries to DNS (domain name system) servers with the return address pointed at the targeted victim. The DNS server then makes the direct attack on the victim. This is a much stronger attack, and is a lot more difficult to stop.
While it is possible to stop a bot-delivered DOS attack by blocking the bot's IP address, blocking queries from DNS servers would prove more difficult, Ken Silva, VeriSign's chief security officer, said. He noted that companies could reconfigure their DNS servers to prevent the so-called recursive name service feature, as a possible solution. But he added that companies may be loath to prevent potential customers, partners, researchers and others from sending queries to their DNS.