Security on the firing line
Security teams have a thankless job. Nobody appreciates them when things are going well, but their necks are on the line when anything goes wrong. Like the DNS.
Many security people take the DNS for granted because it has been around for quite some time, and they overlook it. It may not be the newest or fanciest technology in the network, but when the DNS is down, everything is down. And lately, the bad guys have found quite a few ways to attack the DNS.
DNS DDoS Attacks
The DNS is the second most widely attacked application protocol on the internet, and the attacks keep on getting bigger every year. Reflected, amplified flood attacks have become a favorite weapon in many of the recent, high profile attacks on the DNS.
The Secure64 patented DDoS mitigation mechanisms have been tested by objective third parties and shown to detect and block the wide variety of DDoS attacks directed against DNS servers. These defenses range from protection against simple protocol attacks to defenses against much more complicated packet or bandwidth flood attacks. Because these defenses are built-in, Secure64 DNS servers do not need to be protected by external security devices that add cost, latency and complexity to the network.
DNS Resolver Attacks
DNS resolver attacks are more stealthy than brute force DDoS attacks. These attacks send a small number of queries specifically designed to make the resolver work very hard until it runs out of resources and fails. But the end result is the same – the network is down.
Secure64 DNS Cache was the first to incorporate defenses against this more recent type of DNS attack. By monitoring critical system resource usage, DNS Cache is able to determine when it is approaching resource saturation and adapt its behavior to minimize resource consumption while continuing to respond to legitimate DNS queries.
Because it is free and open source, BIND is the most popular DNS software on the internet. But its popularity also makes it the most widely attacked DNS software. In the past two years there have been 17 critical security vulnerabilities announced against BIND, creating a real dilemma for security organizations. Does the network operations team drop everything and patch the DNS servers immediately? Or is the patch scheduled for a more convenient time, knowing the team is one exploit away from having the organization’s name on the evening news?
Secure64 DNS products have never been based on BIND, and that makes them immune to exploits against BIND-specific vulnerabilities. While nobody writes perfect, bug-free code, Secure64 has not had a breach, nor has it ever been taken down by an attack.
An Infestation of Bots
Users do not have the wisdom of security teams, and so they visit questionable websites, click on phishing links, download malware and fill the network with bots – in spite of the organization’s investment in endpoint protection. But bots can be detected and neutralized through the DNS with security services from Secure64, and the best thing about the services is that they work regardless of the device – laptop, smart phone, router, CCTV, desktop, etc – any device that is connected to the network will be prevented from going to a malicious site or joining a botnet.
Your Security Partner
Secure64 customers turn to us because we care about security as much as they do. They know that we are devoted to creating the most secure DNS products available. After all, security is in our name – and in our foundation.