The Front Door is well protected against DNS DDoS attacks, but what about the back?
The DNS is the phone book of the internet, and most IP services are entirely dependent on its stability and performance. With the recent rash of DNS DDoS attacks, it has become clear that the DNS needs a special security status. DNS essentially remains a single point of attack, even when it is deployed across geo-diverse locations with hot-standby’s, etc. DNS needs very careful security attention because if it is down or unavailable, so are all IP services
Therefore, it is understandable that the focus for CTO’s has been about getting the ‘right’ DNS application along with any necessary bodyguards (firewalls, DPI) that their chosen DNS technology requires. Secure64 customers need not buy any bodyguards, as the DNS servers are self-protecting against DNS DDoS attacks.
But this attention to the “front door” has masked another somewhat obvious way to create a DDoS attack. The attack vector in this case is the Operating System and/or NFV environment hosting the DNS.
While CentOS and other Operating System technologies have been in use for many years and are widely deployed in datacenters globally, it is truly striking as well as dismaying to look at the GROWTH in reported critical vulnerabilities (CVE’s). Hackers are digging deeper into the code and finding new ways to attack the OS, generating CVE’s, which have been growing from 10 to 25% per annum.
Below is a chart listing the 2016 vulnerabilities by vendor – Debian had 319; Linux had 217, or quite a number to stop and patch. Fortunately, there are ways to dramatically alter the OS CVE profile on the DNS platform.
At Secure64, we use a military grade CentOS kernel in every DNS system we ship. In the last 3 years, the Secure64 CentOS kernel has had zero CVEs, because it completely eliminates entire classes of vulnerabilities, including buffer overflow attacks and remote code execution. This same CentOS OS can also be deployed in KVM, VMWare and OpenStack environments. Combining the secure kernel with the Secure64 six layers of DNS DDoS attack protection provides a DNS system with unparalleled security – at both the front door and the back door.