New variant of DNS water torture DDoS?

Question

I have a block of static IPs through my DSL provider, and these host all of my online infrastructure (because you effectively have no security at all when you give up physical control of your servers). This is a one person operation, at the outer fringe of the grid.I recently discovered that my DNS services have been suffering a water torture attack, occasionally resulting in congestion that makes the connection virtually unusable. I think I know who is doing this and why, but that's immaterial to this post, as I don't expect anyone (including law enforcement) to do anything substantial to help resolve that situation.Everything that I can find in my quick search of literature on the subject talks about these sorts of attacks using randomly generated non-existent subdomains (e.g. ...example.com), but I suspect this pattern of abuse has been mitigated by ISPs and backbone operators? Instead, I am seeing my server answering queries for endless capitalization permutations of the names that actually exist: example.com, eXamPle.com, ExAmple.COM, and so on.Can anyone link me to current reference material describing this variation of DDoS attack? What is my best plan for mitigating this kind of attack?

evgen · Accepted Answer

This sort of mixed-case queries are 0x20 bit encoding and are a security measure for dns lookups, not a specific attack. The number and amount of queries may rise to the level of being a DDoS and in that case you should consider options for serving your DNS ouside of your personal infrastructure like Cloudflare or Stackpath. To put it as clearly as possible, if you are on any sort of residential line and hosting all of your DNS there it is trivial for _any_ attacker to take you offline. You simply don't have access to the bandwidth necessary to deal with the attack and your ISP is not going to care enough to provide you with any real help. It is time to let professionals with access to real resources help.