STATE OF DNS AVAILABILITY REPORT



Similar documents
5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

The F5 Intelligent DNS Scale Reference Architecture.

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

The Domain Name System (DNS) A Brief Overview and Management Guide

DOMAIN NAME SECURITY EXTENSIONS

Securing DNS Infrastructure Using DNSSEC

KASPERSKY DDoS PROTECTION. Protecting your business against financial and reputational losses with Kaspersky DDoS Protection

State of the Cloud DNS Report

State of the Cloud DNS Report

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Securing Your Business with DNS Servers That Protect Themselves

THE DOMAIN NAME INDUSTRY BRIEF VOLUME 11 ISSUE 1 APRIL 2014

WAN Traffic Management with PowerLink Pro100

Securing Your Business with DNS Servers That Protect Themselves

FAQ (Frequently Asked Questions)

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

How To Mitigate A Ddos Attack

High-Performance DNS Services in BIG-IP Version 11

The Canadian Internet Registration Authority (CIRA) manages a 100% up time service - the.ca domain name registry for over 2.

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

DNS Server Security Survey

KASPERSKY DDOS PROTECTION. Discover how Kaspersky Lab defends businesses against DDoS attacks

THE DOMAIN NAME INDUSTRY BRIEF VOLUME 11 ISSUE 2 AUGUST 2014

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

How to Evaluate DDoS Mitigation Providers:

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

The Importance of a Resilient DNS and DHCP Infrastructure

BUSINESS IMPACT OF POOR WEB PERFORMANCE

Acquia Cloud Edge Protect Powered by CloudFlare

Cloud Security In Your Contingency Plans

CloudFlare advanced DDoS protection

The Domain Name Industry Brief

CDN SERVICE ICSS ROUTE MANAGED DNS DEUTSCHE TELEKOM AG INTERNATIONAL CARRIER SALES AND SOLUTIONS (ICSS)

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

Stop DDoS Attacks in Minutes

Security of IPv6 and DNSSEC for penetration testers

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

How To Protect A Dns Authority Server From A Flood Attack

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

DDoS Attacks Can Take Down Your Online Services

Automated Mitigation of the Largest and Smartest DDoS Attacks

Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

DNS security: poisoning, attacks and mitigation

Stop DDoS Attacks in Minutes

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

DNSSEC and DNS Proxying

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Verisign/ICANN Proposal in Response to NTIA Request

Application DDoS Mitigation

CHAPTER 4 : CASE STUDY WEB APPLICATION DDOS ATTACK GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers

NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

A Guide to Common Cloud Security Concerns. Why You Can Stop Worrying and Start Benefiting from SaaS

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

How To Protect Yourself From A Dos/Ddos Attack

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

How To Block A Ddos Attack On A Network With A Firewall

A Layperson s Guide To DoS Attacks

DNS Best Practices. Mike Jager Network Startup Resource Center

GLOBAL SERVER LOAD BALANCING WITH SERVERIRON

Transcription:

STATE OF DNS AVAILABILITY REPORT VOLUME 1 ISSUE 1 APRIL 2011 WEB SITES AND OTHER ONLINE SERVICES ARE AMONG THE MOST IMPORTANT OPERATIONAL AND REVENUE GENERATING TOOLS FOR BUSINESSES OF ALL SIZES AND INDUSTRIES. CONSEQUENTLY, THE FOCUS ON NETWORK PERFORMANCE HAS NEVER BEEN HIGHER. YET, ONE OF THE MOST MISSION- CRITICAL ELEMENTS OF A RELIABLE INTERNET INFRASTRUCTURE, THE DOMAIN NAME SYSTEM (DNS), IS OFTEN OVERLOOKED WHEN IT COMES TO PERFORMANCE MONITORING. AS A LEADING AUTHORITY ON NETWORK INTELLIGENCE AND AVAILABILITY, VERISIGN PROVIDES THIS REPORT TO HELP UNDERSTAND AND QUANTIFY THE EXTENT OF DNS AVAILABILITY IN THE INTERNET AND POTENTIAL IMPACTS OF DOWNTIME. 1

EXECUTIVE SUMMARY A recent Verisign-commissioned market study i found that 60% of respondents say at least a quarter of their company s revenue is obtained directly through its Web site. This figure was even higher for small and medium businesses, which rely heavily on their Web sites for revenue generation and marketing presence. For a business to run smoothly, its network has to run smoothly, and for its network to run smoothly, its DNS must be available at all times. According to Yankee Group Analyst and Vice President Jennifer Pigg, ii Increasingly, organizations rely on e- commerce as a main or primary revenue stream and are dependent on their external network for mission-critical corporate functions such as customer service, sales and support. They realize they cannot afford to see DNS go down or suffer a security breach. Yet, in this inaugural issue of the Verisign State of DNS Availability Report, we see that in the first quarter of 2011, DNS availability was a problem for even the top-ranked e-commerce sites. Our examination of a global sample of Web sites revealed that when availability problems occur, sites hosting their own DNS (representative of most enterprises today) are much more impacted than those using third-party managed DNS providers, particularly when examining minimum availability. This report examines and quantifies the extent of global DNS availability problems, and illustrates the risks and impacts that such downtime can have on revenue generation, business continuity, and customer loyalty, etc. DNS: SINGLE POINT OF FAILURE A domain name is key to doing just about anything on the Internet: from setting up a Web site, to sending and receiving email, to building an online store. Today there are over 200 million registered domain names. iii DNS, which supports these domains, is the engine that makes the Internet simple and accessible for users around the world. DNS ensures the availability of Web sites, email, and Web systems by mapping domain names to Internet Protocol (IP) addresses. Every server on the Internet has an IP address, represented as a series of numbers and letters, for example, 123.45.67.254 (IPv4) or 2001:503:A83:0:0:2:30 (IPv6). But, like telephone numbers, these long series of numbers and letters can be difficult to remember. DNS allows people to type names - or brands into a browser, instead of a string of numbers and letters, to reach Web sites and send email messages. It effectively serves as the front door for any Web site to let in users and customers for Internet transactions. The entire process generally happens in a few tenths of a second and is transparent to the end user. During a DNS failure, however, visitors typically receive an error message and cannot reach the Web site. This downtime often causes visitors to become frustrated and move on to another site, resulting in erosion of customer loyalty and brand reputation, as well as immediate and residual effects on sales and employee productivity. Additionally, with the growth of Web services, more and more Web sites are dependent on third-party Web service providers for additional functionality and content, for example, social media sites and/or sales portals. If DNS is not functioning on these third-party sites, it can have a detrimental impact to business operations. "Network-facing services have become more critical to almost all businesses, and businesses often forget that their Internet presence is only as available and secure as their DNS infrastructure," said Gartner Analyst Lydia Leong. iv RESEARCH OVERVIEW Methodology ThousandEyes, a network analytics and planning solutions provider, was commissioned to monitor a diverse sample of domain names (the top 1,000 sites ranked by Alexa) for DNS availability. Using a proprietary model, the firm monitored each site once every hour during the last seven days of January, February and March of 2011. Extensive testing was conducted on each of the DNS resolvers used for monitoring to ensure they followed the standard in DNS resolution and did not exhibit any known abnormal or unreliable behavior. Of the 1,000 Alexa sites, eight were excluded because they stopped responding during testing, leaving a total of 992 sites for data collection. Of these 992 sites, well-known hosted DNS providers were serving the DNS for 142 sites (14%), while well-known CDN providers were serving the DNS for 47 sites (5%). DNS was considered unavailable only when a response from the resolver was one of the following known DNS error codes: Servfail, Nxdomain, No Mapping, or Truncated. 2

Data analysis was conducted by classifying the sample domains into two categories: 1) Those serving their own DNS, and 2) Those using third-party DNS hosting providers. Average, minimum, and maximum availability across all domains in each bucket were then computed. It should be noted that DNS is somewhat hard to test for performance since there are many moving pieces. The results can depend on such things as whether the server has a cached entry, how far an individual is from the DNS server, how far the DNS server is from the other servers, etc. On-going testing and data collection at regular intervals was conducted to help mitigate such issues. Results Though average availability over domains and time for Web sites with internally managed DNS seems fairly close to those with third-party managed DNS, any downtime can have real and lasting impacts to a business s bottom line. Possible impacts of this seemingly minor difference are illustrated in the next section. A glaring disparity is observed when looking at minimum availability, however (Figure 1). For this metric, the sites serving their own DNS are hit much worse than sites using a managed DNS service. To investigate this further, the distribution of the minimum availability for all sites with internally managed DNS (Figure 2) and externally managed were plotted (Figure 3). Figure 1: Minimum DNS Availability Comparison Internally Managed DNS Third-Party- Hosted DNS Figure 2: Minimum DNS Availability of Sites that Host their Own DNS Figure 3: Minimum DNS Availability of Sites Using a Third-Party DNS Provider The above two figures show that DNS availability can drop all the way down to zero for sites that host their own DNS compared to the sites that use third-party DNS providers, which were never below 50%. Minimum Availability (avg. of domains) Maximum Availability (avg. of domains) Availability (avg. of domains & time) Global US Global US 90.13 89.17 98.04 97.71 99.98 99.99 99.99 100 99.7 99.85 99.85 99.94 This can most likely be attributed to the fact that the third-party DNS providers identified use an anycast resolution service, meaning there is always a server available somewhere to respond to DNS queries. In this instance, the end user is not affected much even if a few physical anycast instances fail or are unreachable. One provider uses a hybrid model of anycast and unicast resolution, which provides the optimal combination of performance and reliability for DNS queries and responses. Most enterprises do not have the resources and expertise to set up such extensive systems for their internally managed DNS, which could be why there is such a large discrepancy. 3

WHAT DOES THIS ALL MEAN? With the growth in dependency of online presence for marketing, customer service, revenue generation, and more, any amount of downtime has a real and lasting impact on a company s bottom line. The following example uses data collected for this report to provide an illustration of what a seemingly small amount of downtime can mean for business. Assuming that traffic is uniform over a 24-hour period for all of the Web sites examined in this study, here are a few examples based on the average, minimum, and maximum availability data collected. Example: Mega Online Advertising Mega Online Advertising company received advertising revenue of about $796 million for the first quarter of 2011. There are 90 days in the quarter, resulting in average ad revenue of $8.84 million per day, or about $100 per second. A one-hour DNS outage costs about $368,519. A 99.70% uptime, indicated in this study as the sample average DNS availability of internally managed global domains, would result in a loss of about $26,534 per day, or $2,388,033 for the quarter. That is twice as much as the loss would have been with a managed DNS service based on this study s average availability data (99.85%). Based on these results, it would be prudent for Mega Online Advertising to consider identifying a DNS service provider with a track record of high availability to mitigate their risk of downtime. While this example is very simplified and from a made-up company, the numbers employed to calculate the impacts can be attributed to very real companies in the industry represented. Considering that several companies included in the research sample with internally managed DNS had complete outages for various lengths of time during this study, it is easy to see how impacts from revenue loss, customer dissatisfaction, and lost productivity can add up quickly to become catastrophic for companies dependant on their Web and network presence for business operations. At a minimum, they are public relations nightmares waiting to happen that can be avoided with proper planning and support. CONCLUSION Enterprises have three choices when deciding how to manage their DNS requirements: Do everything in-house According to The Yankee Group, the majority of enterprises manage DNS requirements in-house or via their ISP. v Many, in fact, use both, keeping DNS management for their internal network in-house and using their ISP to manage their external Internet-based ecosystem of customers, business partners, Web sites, company portals, and e-commerce sites. This is supported by the data presented in this report, which shows nearly three-quarters of the sample manages their own DNS. Yet, The Yankee Group estimates more than 85% of enterprises that manage DNS in-house do not have dedicated DNS staff, but instead manage DNS on an ad-hoc basis with limited expertise and few defined operational processes. Furthermore, the firm says that since DNS management is not the main function of an ISP, DNS performance is likely to suffer for those who rely on their ISP to manage DNS. The data collected for this report supports this assertion by revealing significant discrepancies between the DNS availability of Web sites for internally versus externally managed DNS. "Trends such as cloud computing, the mobile workforce, and device proliferation are putting added stress on IT infrastructure and DNS management," said Ben Petro, senior vice president of VeriSign's Network Intelligence and Availability group. Consequently, he says most organizations struggle to maintain high availability of these systems. As companies migrate to more cloud-based alternatives for applications, storage, and services, DNS management becomes more complicated and opens the door for new security issues and challenges. Managed DNS service providers have tools and capabilities that help secure the network, improve availability, and enhance performance that, in most cases, enterprises cannot afford to duplicate on their own. Enterprises must balance the degree of control they would like to exert over their DNS system with the cost and availability of DNS resources. Comprehensive DNS management requires careful planning, substantial expertise, and considerable resources. Unfortunately, most companies do not recognize weaknesses in their existing DNS infrastructure until it is too late and they have suffered lost productivity or revenue. Rely on their Internet Service Provider (ISP) Partner with a managed DNS service provider 4

VERISIGN MANAGED DNS The answer to effectively managing DNS is using a globally distributed, securely managed cloud service, such as Verisign Managed DNS, to help ensure availability and allow enterprises to save on capital and operational costs associated with DNS infrastructure deployment and management. Verisign Managed DNS uses a unique hybrid model of anycast and unicast resolution to provide the optimal combination of performance and reliability for DNS queries and responses, allowing for easier and more flexible management of DNS environments. Verisign has a long history of leadership with DNS. It has managed the DNS for top-level domains (TLDs), including.com,.net,.gov,.edu,.tv,.cc,.jobs and.name, with the highest uptime record of any registry and resolves an average of 60 billion DNS query every day with 100% accuracy. To meet the exceptional requirements of serving.com and.net, Verisign developed its own proprietary name server called ATLAS (Advanced Transaction Lookup and Signaling System), which handles DNS traffic faster and more efficiently than any commercially available option. To provide redundancy and speed, Verisign operates 17 large resolution sites around the world at important Internet hubs in North America, Europe, and Asia. In addition to these large resolution sites, Verisign also operates dozens of smaller Regional Internet Resolution Sites (RIRS) throughout the world that provide high-speed resolution to traditionally under-served countries. This constellation of name servers is maintained, monitored, and managed by Verisign s team of leading DNS, DDoS mitigation, and security intelligence experts. Each site in the constellation is well connected with high bandwidth and tight security controls. The same infrastructure and expertise that supports the world s largest TLDs has been extended to customers through Verisign s suite of services, including Managed DNS, DDoS protection and idefense security intelligence. For more information about Verisign s suite of services, visit www.verisigninc.com. ABOUT VERISIGN Verisign is the trusted provider of Internet infrastructure services for the digital world. Billions of times each day, companies and consumers rely on our Internet infrastructure to communicate and conduct commerce with confidence. i Verisign Whitepaper. Distributed Denial of Service: Finally Getting The Attention It Deserves. May 2011. ii Yankee Group. DNS: Risk, Reward and Managed Services. Feb. 2011. iii Verisign Domain Name Industry Brief, February 2011 iv Verisign Press Release. Verisign Launches Managed DNS to Help Companies Reduce Costly Downtime and Simplify DNS Management. August 11, 2010 v Yankee Group. DNS: Risk, Reward and Managed Services. Feb. 2011. 5

PROFILE OF DNS ATTACKS DNS was developed many years ago when efficiency was of greater concern than security. As a result, it has become a key target for attackers to hijack Web sites and create a variety of exploits to acquire sensitive information. Organizations with a Web presence are open to DNS attacks and, as such, should know how they work and how to avoid them. DNS Cache Poisoning DNS cache poisoning occurs when a malicious actor "changes" the IP address of a particular record on a recursive DNS server by sending a large amount of bogus answers, masquerading as the authoritative server, while the recursive server is waiting for the reply back from the real authoritative server. This tricks the recursive server into serving up and caching the bogus answer to querying end users. A full deployment of DNS security extensions (DNSSEC) protects against this attack type. More work is needed by registrars, ISPs and enterprises to get DNSSEC to a full deployment, but the recent signing of the.com zone by Verisign is a huge step in solving this DNS vulnerability. DNS Reflective Amplification Attack DNS reflective amplification attacks are essentially distributed denial of service attacks that target DNS servers. A normal DNS request is around 100 bytes, with the answer anywhere from 200-400 bytes. A large DNS response can be anywhere from 500 bytes up to 4,000 bytes of information. DNS amplification attacks work by spoofing the source address of a large number of DNS queries sent to valid DNS servers. The spoofed address is that of the attack target. The legitimate DNS servers (unknowingly) participate in the attack by sending a high number of large DNS responses to the victim IP. Resource Starvation or Direct Attack The easiest type of attack is to find a large botnet of hijacked PCs and direct a huge flood of recursive DNS queries at the targeted authoritative DNS server. In addition, the attacker will spoof the source IP address of the requesting packet to be that of a popular legitimate recursive DNS server (one that has a lot of end users). The target of the attack cannot simply firewall off those packets, as they will be mixed in with legitimate queries from that recursive server. Data Modification Attack Cache poisoning is not the only way to "modify" DNS data. Several attacks have been successful at redirecting legitimate traffic to "bad" sites by compromising the target company s registrar account and changing its DNS records to point to fraudulent DNS records. DNS data can also be modified directly on the authoritative DNS server answering the DNS queries. There have been some very highly publicized breaches against DNS providers where an attacker was able to log into the DNS provider s management system and modify the DNS data of the target. Protecting Your DNS By applying digital signatures to DNS data to authenticate its origin and verify its integrity as it moves throughout the Internet, DNS security extensions are designed to protect the DNS infrastructure. While this is the first major step for protecting the integrity of the DNS, for DNSSEC to effectively safeguard the global DNS infrastructure, it is vital for ISPs, Web site operators, and registrars to implement DNSSEC across the domains and recursive servers they manage. Verisign actively tracks the progress of DNSSEC implementation across all of the TLDs it manages and provides tools for anyone to among other things check the DNSSEC information on their or any other Web site and whether or not a DNS resolver is configured for DNSSEC validation. The number of DNSSEC-enabled Web sites in the.com,.net, and.edu zones is also available. For more information, visit http://labs.verisigninc.com/tools. 6 2011 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information