Why agents & brokers are prime targets for DNS water-torture cyberattacks

At the end of June, Netscout was tracking more than 660 daily instances of these types of domain name system attacks.

“If an attacker wants to take down a company’s online presence they can either go after the website directly, they can go after VPN concentrators, content distribution networks and things of that nature, or they can simply go after the DNS server,” says Netscout’s Roland Dobbins. Credit: iStock

Insurance agencies and brokerages are among the most frequently targeted businesses for domain name system (DNS) water-torture attacks, a form of distributed denial-of-service (DDoS) attack that has seen a 353% increase in daily deployments since the start of 2023, according to Netscout Systems, Inc.

For background, a DDoS is an attack that aims to overwhelm a target and its infrastructure, say a website, with a flood of internet traffic with the goal of creating a logjam. With the site’s servers being overwhelmed, regular users will not be able to access it.

Background image by Modern Design & Foto/Adobe Stock

“If an attacker wants to take down a company’s online presence they can either go after the website directly, they can go after VPN concentrators, content distribution networks and things of that nature, or they can simply go after the DNS server,” explains Roland Dobbins principal engineer with Netscout’s ASERT Threat Intelligence Team.

DNS water-torture attacks, which are technically called nonexistent DNS label attacks, have been around since 2009, according to Dobbins, and work like this: An attacker’s botnet node, or a collection of devices infected and controlled by malware, issue streams of DNS queries for nonexistent records within the domain of a targeted site.

“If our target is using www.example.com, instead of sending a DNS query for www.example.com, the attack might consist of pseudo-randomized queries for pseudo-randomized records that don’t actually exist, like XYZ123456.www.example.com,” Dobbins says.

Background image by Modern Design & Foto/Adobe Stock

The reason attackers do this is twofold, he explains. The first reason is to bypass any cached DNS records that might be on a recursive domain name system, like Google, and get directly to an authoritative DNS.

The second reason is that when a DNS server gets a query for a record that doesn’t exist, it must issue a negative response, or NXDOMAIN, for each and every request.

“So the attacker gets to burden the DNS server for the domain under attack with this flood of queries, and it also forces them to respond to each and every one of those with a response saying ‘this record that you asked for doesn’t exist,’” Dobbins says.

Why agents & brokers are targeted

In addition to the usual reasons for cyberattacks, such as financial gain or accessing sensitive information, agents and brokers are often targeted because of how the market is structured, according to Dobbins.

Many agents and brokers are independent entrepreneurs who lean on affiliations with larger and much more visible insurance carriers. In some cases, a hacker won’t realize the independent nature of the business relationship, and mistakenly believe the agency is part of a larger corporate structure, Dobbins says.

In other instances, attackers might find they can exert pressure on a company to pay a ransom demand, for example, by attacking its sales agents.

“What this means is that the people, again independent entrepreneurs that are the backbone of realty and the backbone of the insurance industry, are at disproportionate risk of being caught in a DDoS attack,” Dobbins says.

Related: