Posted July 21, 2016
DNS (Domain Name System) DDoS (Distributed Denial of Service) attacks are popular because they are easy to perform. It doesn’t take many resources or advanced skill to bring down unprotected DNS servers.Which makes it so crucial to protect and prevent DNS attacks in your organization.
Why are DNS’ so Vulnerable to DDoS Attacks?
DNS as a protocol was not designed with security in mind. Adding security has been a process of bolting on security to the protocol over time. DNS by its nature is designed to pass through firewalls with little or no checking, making it a prime candidate for malicious actors who can DDoS, or command and control, or exfiltrate data. Because of the stateless nature of the protocol, there are a number of different types of DDoS attacks which can penetrate the vulnerability of a DNS.
DNS protocol is based on UDP non-session based transport layer. There is no session establishment and therefore no way to identify or authenticate a legitimate request vs a malicious request. So, the security infrastructure has to inspect and mitigate based on domain and behavioral use patterns of DNS use. Secondly, by design, DNS is a protocol to allow exploration and discovery of the Internet. It is intended to allow anyone, including those with malicious intent, the ability to profile and discover their victims network profile without any way to stop it.
DDoS attacks against your organization’s DNS infrastructure can be a death sentence if your applications or website relies heavily on DNS services to operate.From going dark entirely to creating areas ripe for compromise, your overall cyber security ecosystem is only as strong as your weakest link.
How to Protect Your Organization’s DNS Servers from DDOS Attacks
To better protect an organization’s DNS infrastructure, here are a few options to consider:
Filtering DNS requests to ensure they meet DNS protocol standards are a good way to move attack load onto a network filtering device. The idea is to prevent malicious requests from reaching the DNS server.
There are service providers that specialize in DoS and DDoS and there is hardware that can filter requests and reduce the attack impact. A solution that works well with one form of attack may not address other forms of attacks and vulnerabilities.
The LookingGlass DNS Defender solution was expressly built to provide protection for Internet facing recursive and authoritative DNS servers that are targeted in DDoS attacks. Learn more about LookingGlass DNS Defender and other solutions to protect your DNS infrastructure.