Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
According to a survey - conducted by IDC in 2014 - on DNS security, "traditional security solutions aren’t a good option to protect the DNS infrastructure against critical attacks." The survey also revealed that 68 per cent of respondents are still just relying on their firewalls. This is the wrong answer to a very real problem.
During a DDoS attack, the hacker usually tries to bring down the DNS server either by blocking legitimate requests or by corrupting the DNS cache and sending false information back to users. Several methods exist to protect against DNS attacks; the most common is to filter DNS queries and eliminate those that are illegitimate. The problem with this approach is that current solutions aren’t strong enough to absorb, and meticulously analyse, all the requests that are sent to them. This method can even negatively impact the DNS service by allowing through illegitimate queries when the system’s under pressure.
Last December, cloud service provider, Rackspace suffered a DDoS attack that crippled its DNS servers for 11 hours. The company stated that its engineers were working to resolve the problem; unfortunately, the protection solutions used were impacted "because of the nature of the event, part of the legitimate traffic to our DNS infrastructure can be inadvertently blocked."
In the same month, Simple DNS faced a similar attack and decided to disable the DNS DDoS defence mechanism in order to resume normal service.
In both cases, the companies took radical steps that not only blocked the illegitimate traffic, but also the legitimate requests. More evidence that current solutions aren’t adapted to the problems of DNS services and, as a result, businesses remain vulnerable.
For 40 years, IT Security Officers (CISOs) have used filtering solutions to counter attacks. Unfortunately, current filtering solutions are proving to be insufficient in protecting the DNS service, or even dangerous in some cases.
Put simply, it’s time to rethink the security of the weakest link in the network infrastructure – and, here’s why.
Computer attacks are becoming increasingly complex
Hackers are often very creative and regularly find new ways to find fault with the DNS infrastructure, as well as developing new and complex techniques. The rules in place within a solution are unable to adapt to these persistent threats as rapidly as they occur. Some existing solutions have over a hundred rules set up to maintain a threat mitigating system; not only is this a onerous task, it’s also not fool-proof.
Filtering based on superficial analysis = exclusion of legitimate requests
When an attack against DNS services is detected, the solutions can "blacklist" the IP address identified as responsible for the attack. However, a hacker can use malware installed on many different machines to generate these attacks – so when the protection system blocks requests from a “blacklisted’ IP address the machine attached to it could very well be that of a customer, partner, or even your own.
Helplessness against volumetric attacks
When attacks are volumetric (about 63 per cent of DNS DDoS attacks) current solutions can be quickly saturated. To detect an attack the filtering mechanism must engage in an in-depth analysis of the contents of DNS messages; this analysis involves a considerable amount of data to be processed and means a significant workload for analysis tools. During a volumetric attack, the amount of data bursts, the tools are saturated and the protective solution may not be fully effective.
Slow attacks
The majority of attacks are "slow" or go unnoticed (often known as a ‘Phantom’ attack). This type of attack isn’t based on a large volume of requests sent over a long period but, rather, on lower volumes with frequencies that make them invisible to filtering.
Vulnerability to cache poisoning
When a filtering solution detects suspicious behaviour, it’s supposed to reject the affected packages and only respond to legitimate requests. The problem is that rejected packets leave requests unanswered – and, the response timeout for the recursive server is an opportunity for hackers to poison the cache by responding instead of the server. Hackers can trigger the filter mechanism with false positives to access the cache servers.
But, however it’s made, an attack on the server is a direct and very severe threat to the business. Hackers are continuing to change their methods at a rapid pace, but there are new solutions, specifically developed for DNS service, that can detect and identify different types of attacks and implement measures depending on the attack.
Those responsible for IT security must review their cyber-security approach in order to keep up, or ideally be one step ahead. The future of the company depends on it.
