DDoS and DNS: where can the DNS platform protect your assets
DNS, unfortunately, is a prime target for DDoS attacks, a fact that cannot be ignored. This vulnerability poses a significant risk to the stability and accessibility of your online services.
Some servers and some setups allow the bad guys to use DNS servers to attack other servers. Other setups and servers are not configured or cannot protect against inbound attacks.
Why protect a DNS server?
No DNS = No Internet. It’s that simple, as no one knows the IP address for a server. Think of the sites you use every day, and ask yourself if you know the IPv4 address and then ask if you could remember the IPv6 address.
This means you have 2 different areas to protect
- Protect your brand by keeping the Authorative DNS operational
- Protect you caching DNS and ensuring it is not open for abuse internally or externally
Protecting your brand
Consider the scenario where a customer or a user is trying to access your website. They initiate a DNS lookup, which at some point involves your server. If your DNS server is down or overloaded due to a DDoS attack, the user cannot retrieve the IP address for the service they need. Hackers exploit this vulnerability, effectively blocking access to your service without even compromising your server. This underscores the urgency of protecting your DNS server.
This problem can cause financial issues and result in users accessing alternate providers to get the desired product or service.
Authoritative DNS servers need the ability to dynamically block these attacks without having to resort to the system administrator configuring the prevention at the time of the attack. These servers need the ability to report on the attack so that lessons can be learned, but the most obvious feature is uptime; they have to resolve legitimate queries while blocking the attack.
Protection needs to be built into the whole software stack. Using external platforms to protect insecure DNS servers is a bad idea as the system administrator cannot easily see the whole picture of the attack. The DNS solution in your network needs to be aware of the attack and protect itself.
Protecting the caching DNS server
There are far more caching DNS servers installed across the internet and inside networks than Authorative DNS servers. Sometimes, hackers abuse caching DNS servers into a DDoS cluster. If a DNS server is open as a resolver on the internet, the hacker can bounce malicious queries off it and hide their location and intention. This can be a massive problem on the internet.
Again, filtering needs to be deployed to protect the DNS server and ensure your servers are not used for malicious reasons.
Start low in the stack
DNS Software sits at the top of the ISO stack. Hackers know this and often attack the server with ICMP, TCP and UDP attacks which are nothing to do with DNS. Your protection, therefore, needs to secure the server against attacks from the lower layers of the stack, and critically, it needs to be able to report these attacks. An important factor is having all the various attacks correlated in the protection and reporting architecture and visible using a GUI. This ensures the system administrator doesn’t have to dig through logs and reports from different protection platforms where they cannot understand all the attack vector.
Visibility
Having a GUI that can see the attacks in near real-time is a factor to help understand when you are being attacked, how you are being attacked and how the attack changes over time.
If you have your protection split across different vendors and different protection boxes, seeing the ICMP and DNS attacks is often very hard as you may have multiple different reporting engines to view and try and correlate the data.
The reporting engine needs to work offline from the servers to ensure that it doesn’t impact the performance of the solution, but critically, you need real-time information to see the attack. Some platforms have large delays in reporting of minutes, and that doesn’t help when the attack could be over in the time taken to see the data.
Protect against misuse of the DNS
DNS Tunnelling is a clever technique that uses perfectly valid DNS queries from sources allowed to query the caching DNS server. Hackers embed the traffic they want to pass in a DNS query and response. The caching DNS server sends the packet to the Internet. Hackers can use this technique for service theft and data exfiltration. As the data is, in effect, valid, legacy solutions do nothing to stop this method.
DNS tunnelling protection has to be dynamic and not rely on lists of domains from a central source. The platform must be self-protecting and provide detailed reporting.