5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

Similar documents
DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

Securing DNS Infrastructure Using DNSSEC

STATE OF DNS AVAILABILITY REPORT

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Denial of Service Attacks

How To Protect A Dns Authority Server From A Flood Attack

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

CS 356 Lecture 16 Denial of Service. Spring 2013

DOMAIN NAME SECURITY EXTENSIONS

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

CloudFlare advanced DDoS protection

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

KASPERSKY DDoS PROTECTION. Protecting your business against financial and reputational losses with Kaspersky DDoS Protection

FAQ (Frequently Asked Questions)

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Acquia Cloud Edge Protect Powered by CloudFlare

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

Threat Events: Software Attacks (cont.)

Computer Networks: Domain Name System

Attack and Defense Techniques

Potential Targets - Field Devices

A Decision Maker s Guide to Securing an IT Infrastructure

DNS security: poisoning, attacks and mitigation

Measures to Protect (University) Domain Registrations and DNS Against Attacks. Dave Piscitello, ICANN

Distributed Denial of Service Attacks

Stephen Coty Director, Threat Research

Security F5 SECURITY SOLUTION GUIDE

DDoS Attacks Can Take Down Your Online Services

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

DNS Best Practices. Mike Jager Network Startup Resource Center

Security A to Z the most important terms

FortiDDos Size isn t everything

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

WHITEPAPER. Designing a Secure DNS Architecture

Strengthening our Ecosystem through Stakeholder Collaboration. Jia-Rong Low, Sr Director, Asia 20 August 2015

Top Five DNS Security Attack Risks and How to Avoid Them

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

Denial of Service Attacks

How To Protect Yourself From A Dos/Ddos Attack

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

KASPERSKY DDOS PROTECTION. Discover how Kaspersky Lab defends businesses against DDoS attacks

Securing Your Business with DNS Servers That Protect Themselves

Internet Security [1] VU Engin Kirda

The F5 Intelligent DNS Scale Reference Architecture.

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

Basics of Internet Security

TDC s perspective on DDoS threats

Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Complete Protection against Evolving DDoS Threats

Keyword: Cloud computing, service model, deployment model, network layer security.

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

The Domain Name System from a security point of view

COSC 472 Network Security

High-Performance DNS Services in BIG-IP Version 11

Spyware. Summary. Overview of Spyware. Who Is Spying?

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

VALIDATING DDoS THREAT PROTECTION

DDoS Attacks & Mitigation

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Application Firewalls

Securing Your Business with DNS Servers That Protect Themselves

Own your LAN with Arp Poison Routing

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Network Security: Introduction

The Trivial Cisco IP Phones Compromise

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)

Learn Ethical Hacking, Become a Pentester

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

Transcription:

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep) survey says: There are things that go bump in the night, and things that go bump against your DNS security. You probably know about the risk of distributed denial of service (DDoS) attacks, but other threats lurk in the dark. Security threats against DNS infrastructure are both serious and growing. In fact, according to a 2013 Arbor Networks survey, the largest DDoS attack (60 Gbps) targeted DNS infrastructure. In that same survey, twice the number of respondents claimed to have experienced customer-impacting DDoS attacks on their DNS infrastructure in 2013 versus 2012. Yet, 19% of organizations have no dedicated group responsible for DNS security. 1 When it comes to keeping your DNS secure, do you know what you re up against? Here are five of the most pervasive DNS threats that you need to be thinking about, and how to keep them from creating a performance or security nightmare. 1. DDoS Attacks The most common of DNS boogeymen, DDoS attacks prevent a service from working by using a large number of machines from all over the Internet to send enormous amounts of traffic towards a target website or application. When the DNS infrastructure is sufficiently overloaded by incoming requests, performance crashes or completely fails, impacting your ability to serve customers. An attacker clogs network services by overloading one or more DNS servers with recursive queries from zombie computers computers compromised and controlled remotely by an attacker. When server processors hit max capacity by trying to respond, the DNS service becomes unavailable to the people trying to access your website or applications. 54% of DDoS attacks in 2013 were over 1 gigabit per second, up from 33% in 2012. 25% of survey respondents reported customer-impacting DDoS attacks on their DNS infrastructure. 21% of survey respondents permit unrestricted recursive lookups by their DNS servers. 1 WANT TO LEARN MORE ABOUT DDOS? READ OUR : Everything You Need To Know About A DDoS Attack DOWNLOAD AVAILABLE AT: http://bit.ly/ddos101 1 of 5 1 Network Operators Speak Out on the Status of DNS Security, Arbor Networks, 2013.

Fight fire with fire. Prevent distributed attacks with a distributed network of anycast servers that can handle a deluge of DNS traffic. Don t have a dispersed fleet of anycast servers? You re not alone. Look to managed DNS providers, which are committed to building out widely distributed, highly redundant networks of anycast servers. They ll mirror your own DNS servers to mitigate a DDoS attack and generally improve network performance by load balancing queries. 2. DNS Amplification Rather than a standalone attack, DNS amplification exploits powerful recursive DNS servers to increase the strength of a DDoS attack. The attacker uses the target s own strength to overwhelm the network and cripple performance. How Does It Happen? Attackers spoof the source address on DNS queries to match that of the target, and use bots to send bogus packets to a recursive name server, effectively amplifying the packets by a ratio as high as 70:1. DNS amplification gives attackers with small botnets the same power as large botnets. So if you have an open recursive DNS server, the number of attackers you need to be concerned with is amplified as well. Is your recursive DNS server open to the Internet? If yes, put this threat to bed right now by changing your server configuration. That is all. DNS Amplification Attack 2 of 5 5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

3. Cache Poisoning Cache poisoning (aka pharming or redirection) sends unsuspecting people to malicious websites attached to legitimate URLs. And if the attacker s site looks just like the attack target s actual site not a difficult task there s practically no way for someone to know they are being scammed, leading to them entering their personal information (address, birthday, credit card number, social security number) into a site that pharms information. Researcher Dan Kaminsky discovered a serious flaw in the DNS protocol that made it an easy target for attacks. The vulnerability, now known as the Kaminsky bug, enables an attacker to trick an Internet Service Provider (ISP) into caching malicious DNS information into the recursive DNS server caches. That s how a legitimate website URL can redirect users to the wrong IP address. You can ward off cache poisoning attacks by making sure your DNS server configurations are secure, but the best protection is to apply the DNS Security Extensions (DNSSEC) protocol to each step in the DNS lookup from root zone to the final domain name. Registries and registrars worldwide use the DNSSEC add-on to digitally sign data, ensuring its validity. (It s important to note, however, that it doesn t encrypt the data.) DNSSEC In Action 18% of survey respondents saw DNS cache poisoning attacks to or through their DNS infrastructure, while 38% lack the visibility to know of such attacks. Network Operators Speak Out on the Status of DNS Security, Arbor Networks, 2013. 3 of 5 5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

4. Registrar Hijacking It s likely that you have your domain name registered with a registrar company. That means that if your registrar is under attack, you re probably under attack. Registrar hijackers can take control of your domain name and direct it to a server (name, web, email, etc.) of its choice. The attacker could even transfer your domain to a new registrar, cutting ties with the compromised account and making it difficult for you to regain ownership. A registrar hijacker may aim to attack all of a registrar s accounts, or it could target your account specifically. It may try to crack the code on your password or manipulate one of your registrar s technical support operatives into revealing it. Avoid the temptation to sign with the first registrar to offer a promotional discount or to laugh at your jokes. Ask questions. Be picky. Register with a managed DNS provider that takes security seriously and has features such as multi-factor authentication and high-value services that can substantially curb risk. These services may come at an additional cost, but compared to the revenue loss and reputation damage that may result from a hijacking, they end up paying for themselves. There are almost 1,000 ICANNaccredited registrars, including Dyn. View the complete list: http://bit.ly/icannregistrars 5. Footprinting Footprinting isn t an attack itself, but it sets the stage for a successful DNS attack by gathering information about DNS domain names, computer names, registration details, server type, IP address, location, and other details. With this information, the attacker knows which resources to target and can plan an IP spoofing attack. How Does It Happen? Effective footprinting requests a zone data transfer from your DNS server to an attacker s zone server, giving it a complete copy of the DNS records for the entire zone. This is very easy for attackers to do when you allow any Internet user to execute zone transfers. 4 of 5 5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

Don t allow any ol Internet user to execute zone transfers. Instead, control DNS zone transfers by restricting them to specific DNS servers. You can also run your DNS services on domain controllers and configure them to authenticate each other before exchanging data. Then, use Active Directory integrated zones for replication. An attacker can no longer impersonate a domain controller and receive the zone transfer information. A DNS Security Solution To Sleep On Now that you know about key threats to your DNS security, don t let them keep you up at night. This paper details steps you can take to protect yourself, but you don t need to tackle them alone. Managed DNS provides risk mitigation for the newest of threats with the latest technologies, overseen by security experts. Delivered as a service, it handles your DNS needs without requiring onsite hardware, software, or additional personnel. You get all the security benefits without the effort or capital costs. The security of your DNS is too important to chance, so consider partnering with a managed DNS provider like Dyn to be assured that you ll be protected. review of the 5 dns security risks 1. DDoS Attacks 2. DNS Amplification 3. Cache Poisoning 4. Registrar Hijacking 5. Footprinting Need backup against these DNS threats? Give us a call. 5 of 5 5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep) dyn.com uksales@dyn.com +44 (0) 1273 257270 6th Fl. Aspect House, 84-87 Queen s Rd. Brighton, UK BNI 3XE

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information