Page 6 - index
P. 6
A Checklist for Withstanding DNS Attacks
By Renuka Nadkarni, Director of Product Management-Security at Infoblox
DNS threats are rising. In the last year alone, there has been a 200 percent increase in
Domain Name System (DNS) attacks and a 58 percent increase in Distributed Denial of
Service (DDoS) attacks. Because DNS is an essential component of how the Internet
functions – associating and translating domain names into IP addresses to locate services
and devices around the world – it must be open and accessible to everyone on the Internet.
As a result, DNS servers are a tempting target for cyber-criminals, “hacktivists” and other
malicious groups. Traditional approaches to network security often neglect the protection of
DNS’s critical infrastructure, which may leave the network vulnerable to internal and external
attacks.
DDoS attacks, which seek to knock sites offline with a flood of malicious traffic, have been
an especially fast-growing threat and have led to crippling downtime, with the average loss
for a 24-hour outage costing a company $27 million. Without functioning DNS, smartphones
don’t work, an enterprise can’t do business online, teams can’t communicate effectively,
productivity drops, customer satisfaction declines, revenue is reduced and the company’s
reputation is at risk.
Are You Prepared to Withstand DNS Attacks?
Some security solutions claim to offer protection for DNS, but most are limited in what they
can protect against. If you really want to fortify your network to withstand a DNS attack, you
need to do the following:
Recognize the attack. More often than not, DNS attacks manifest as “web site not working”
and it takes a while before the problem is isolated as a DNS issue. Attacks on DNS cause
different types of effects
DNS services not available is the most common impact of the attack. It could be caused by
bringing down the DNS server with a flood of queries through a DDoS attack or it could be a
specifically crafted single query that can exploit a DNS vulnerability to bring the network
down.
Outbound bandwidth choke is a DNS-based amplification that can cause uplink bandwidth
to saturate. In this case, Internet connectivity can be lost or interrupted for the entire campus
and on rare occasions a service provider will cut off access.
Network infrastructure failure may happen when asymmetric DNS traffic causes other
elements like firewalls, switches and routers that are processing the traffic to fail. Putting
larger -apacity network equipment may only be a temporary fix in this case and the attack
would surface again soon.
Know your types of attack. The number of potential threats is growing. Among the most
prevalent:
Direct DNS amplification attacks are aimed at congesting a DNS server’s outbound
bandwidth. Attackers can use a small volume of outbound traffic to cause the DNS server to
6 Cyber Warnings E-Magazine – April 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
