Posted July 21, 2016
DNS Denial of Service attacks are popular because they are easy to perform. It doesn’t take many resources or advanced skill to bring down unprotected DNS servers.
DNS as a protocol was not designed with security in mind. Adding security has been a process of bolting on security to the protocol over time. DNS by its nature is designed to pass through firewalls with little or no checking, making it a prime candidate for malicious actors who can DDoS, or command and control, or exfiltrate data. Because of the stateless nature of the protocol, there are a number of different types of DDoS and other attacks as well.
DNS protocol is based on UDP non-session based transport layer. There is no session establishment and therefore no way to identify or authenticate a legitimate request vs a malicious request. So, the security infrastructure has to inspect and mitigate based on domain and behavioral use patterns of DNS use. Secondly, by design, DNS is a protocol to allow exploration and discovery of the Internet. It is intended to allow anyone, including those with malicious intent, the ability to profile and discover their victims network profile without any way to stop it.
To better protect an organization’s DNS infrastructure, here are a few options to consider:
Filtering DNS requests to ensure they meet DNS protocol standards are a good way to move attack load onto a network filtering device. The idea is to prevent malicious requests from reaching the DNS server.
There are service providers that specialize in DoS and DDoS and there is hardware that can filter requests and reduce the attack impact. A solution that works well with one form of attack may not address other forms of attacks and vulnerabilities.
The LookingGlass DNS Defender solution was expressly built to provide protection for Internet facing recursive and authoritative DNS servers that are targeted in DDoS attacks. Learn more about LookingGlass DNS Defender at https://www.lookingglasscyber.com/products/threat-mitigation/dns-defender/.