- Category: August 2015 - Security
The Domain Name System (DNS) is one of the most important services in IP-based networks and a prime target for hackers. Therefore, you might be interested in the following few useful tips to minimize the risks of DDoS and mitigate damage.
We can just try to give our best to stay protected and know that only 'He who is without sin can cast the first stone'. Let’s take a look at Distributed Denial of Service (DDoS) attacks, for instance, which are a good example for an attack on DNS servers. Here, hackers are flooding the enterprise servers with millions of requests per second to make the server crash under the load. Then, the company's website is no longer accessible and IP-based applications can no longer be used. In addition, vulnerabilities occur due to the overloaded DNS server that attackers can exploit to influence the DNS cache. For example, the web traffic of the company's website could be redirect that way to a fraudulent site.
According to an IDC study, other possible consequences of DNS attacks are intellectual property theft (40%), the publication of secret information (27%), as well as the theft of customer data (11%). In short, a successful DDoS attack can have devastating consequences for the company and its customers, as well as ruining a company’s business reputation.
Since organizations often do not know about these risks, they do not invest enough in specialized DNS security solutions, making DNS servers the weakest link of the entire IT infrastructure. Therefore, pay attention to the following tips:
Update software regularly: Make sure to install new security updates as soon as possible. BIND, the most widely used DNS engine, for instance, has in general an update available once a month. Using outdated software can increase security vulnerabilities attackers can exploit.
Use different DNS engines: It has proven to be a good solution to operate at least two DNS servers with different software engines, so that the second engine can take over the operations when the first one is being updated and tested thoroughly. Since DNS installations can be very complex, it is advisable to implement such an alternative, because a faulty update may have serious consequences. Besides, during an attack it is the more important to have different engines: the companies can then switch to the second engine in real time, that way turning off the vulnerability and ending the attack. Especially with zero-day exploits, this approach is useful, since in this case no security updates are available.
Prepare for DDoS attacks: As said, the main principle of a DDoS attack is simple: There are made more requests to a server than it can answer. Since even the most powerful conventional DNS server cannot handle more than 300,000 requests, companies need dozens of redundant servers and additional components such as load balancers for protection - a highly complex and expensive IT infrastructure. So, be prepared and stay alert!
By Daniela La Marca