/SERVICES
Not every cloud attack causes downtime. Some are designed purely to inflate your AWS bill. While reviewing our Amazon Route 53 billing on a Tuesday morning, we noticed sudden cost spikes with no impact on availability or performance. The culprit turned out to be a Random Subdomain (Water Torture) DNS attack. In this post, we share what happened, how this type of attack works, and the single Route 53 configuration change that permanently neutralised the financial impact.
While reviewing our AWS billing data, we noticed unusual spikes in Amazon Route 53 costs. On certain days, DNS query volume jumped from a normal baseline of a few million queries per day to well over 200 million queries in a single day. This resulted in additional charges of almost $100 per day, compared to the usual few dollars.
Despite the spike, there was no availability impact, no application disruption, and no operational alarms. The issue was purely financial.
Initially we suspected a misconfiguration on our side. After enabling and analysing Route 53 Query Logs, the picture became clear: we were dealing with a Random Subdomain attack, also known as a Water Torture attack.
An attacker generates DNS queries for random, non-existent subdomains, for example:
Because these domains do not exist, Route 53 returns NXDOMAIN responses. NXDOMAIN responses cannot be cached by intermediate DNS resolvers, which means every single query has to hit Route 53 directly. The result: no service disruption, but a significant DNS bill.
In our case, more than 99% of all queries resulted in NXDOMAIN, a textbook indicator of this type of attack.
Amazon Route 53 is designed to handle massive query volumes without degradation. From an availability point of view, everything works exactly as expected. The pricing model tells a different story:
After discussing mitigation options with AWS, one solution stood out for its simplicity and effectiveness: a wildcard Alias record.
*.aws.example.com → A (Alias) → AWS resource
The Alias target can be any of the following:
This approach provides two critical layers of cost protection.
First, no Route 53 query charges.
DNS queries to Alias records pointing to AWS resources are free of charge. Even if millions of queries reach Route 53, they are not billed. There is a catch: the record must specifically be an Alias. A regular A-record pointing to a dummy IP address is not free.
Second, resolver caching becomes possible.
Because responses now return NOERROR instead of NXDOMAIN, intermediate resolvers can cache the result. This further reduces the query volume that reaches Route 53 in the first place.
No. Route 53 always resolves records in this order:
Existing workloads behave exactly the same as before.
We chose to deploy the wildcard Alias record permanently. The benefits clearly outweighed any drawbacks:
Since implementing this change, similar attacks are financially neutralised.
AWS Shield Advanced provides:
AWS expects customers to already implement the basics, and the wildcard record is explicitly one of them. In practice, with the wildcard in place, Route 53 query costs drop to almost zero. Shield Advanced becomes relevant mainly for larger or more complex attack scenarios.
Not every attack causes downtime. Some attacks are designed purely to impact your cloud bill, and Random Subdomain attacks are a clean example. The fix is small. The cost of missing it is not.
Three takeaways:
A wildcard Alias record in Route 53 is no longer optional — it is an essential defensive measure.
/
/CONTACT
/FAQ
/INSIGHTS
Lorem ipsum dolor sit amet, consectetur adipiscing elit. In porta posuere nisi sed blandit. Nam cursus interdum maximus.
/CONTACT
We have a presence in both the Flemish and French region of Belgium and also in Luxembourg.
