If Your DNS is not Secure, You are not Secure
By now you have either heard about or experienced the effects from the massive DDoS attacks against the DNS servers at Dyn, a DNS Service Provider, and other DNS service providers. These high-profile attacks crippled the Internet and made access to high profile sites such as Twitter, Netflix, Box, The New York Times and many others either impossible or sporadic.
The attack a few weeks ago was a very sophisticated reflection/amplification attack that used thousands of IoT devices such as Internet cameras and DVRs that were susceptible to the from Mirai malware. Mirai is a form of malware that exploits weaknesses in IoT devices such as default passwords. While Mirai is sophisticated (the source code is in the wild) there are less sophisticated DNS DDoS attacks that are not difficult to launch. The attacker community has developed DDoS-as-a-service tools such as DNS Flooder that allow less sophisticated attackers to target industries. Besides service providers, attackers focus their efforts on gaming, financial services, education and retail organizations that require an Internet presence to do business.
Infoblox hosted a webcast with our Chief DNS Architect, Cricket Liu, to focus on lessons learned from the recent Dyn DDoS attack. We focused on best practices for deploying a DNS architecture, pitfalls to avoid, and the role DNS security plays in your network infrastructure. If you missed the webcast, the recording is available Here
A few of the key takeaways included:
- Ensure you evaluate the broader range of DNS Security issues rather than focus on the specifics of the particular attack.
- Consider how to integrate security measures in DNS with your broader security architecture.
What can you do to better prepare yourself?
- Use a mixed set of authoritative name servers - homogeneity
- On-premises name servers
- Hosted name servers
- If your DNS hosting provider or one of its customers is attacked, recursive name servers on the Internet will notice that they’re not responding and will favor your on-premises name servers
- Use authoritative name servers that resist DDoS attacks as these can resist non-volumetric attacks
- Use Response Policy Zones to cut off infected devices from command-and-control servers
- Use Response Policy Zones to hardwire critical name-to-address mappings in the event of another DDoS attack
We have helped thousands of organizations create and maintain a bullet-proof DNS infrastructure with our Advanced DNS Protection solution. Our systems engineers and technical team literally wrote the book on DNS and can assist your organization in evaluating your current DNS implementation and how Infoblox can help your organization not be another DDoS news story and statistic.