How to defend your business against Domain Name Server attacks

DNS attack image
Traditional endpoint security won't cut it against them

EfficientIP, a developer of DDI solutions, recently launched the industry's first hybrid DNS engine in response to the growing number of DNS cyber attacks such as Denial of Service (DoS) and cache poisoning.

Whereas most DNS servers run a single DNS engine, EfficientIP's SOLIDServer Hybrid DNS Engine (HDE) combines three DNS engines, managed in a single appliance.

According to the company, this approach provides greater protection to large enterprises, operators and ISPs as it eliminates single point of failure following security alerts, creates a highly complex security footprint and enabling DNS engines to be switched to protect service availability.

David Williamson, CEO, EfficientIP explains what's behind Domain Name Server attacks and why different approaches are needed to DNS security.

TechRadar Pro: Why are DNS servers particularly vulnerable to attack? What's all the fuss about?

David Williamson: DNS Servers play a central role in managing user access to websites, email and other web apps, translating between IP address numbers and domain names. Because DNS servers are public by design, they are open to the world to allow access to a web site or a web-based application.

As a result, today's hackers are very familiar with the security holes and vulnerabilities of DNS servers and their software, which makes them targets for Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

In the last quarter of 2013 alone, the total number of DDoS attacks increased 26% from the same period the year before. The average attack lasted 23 hours with many attacks consuming over 100 Gbps of bandwidth.

TRP: What are the potential outcomes of a DNS attack, and what does it really mean for today's Internet-dependent businesses?

DW: DNS attacks can appear in several forms with differing outcomes. If the DNS server is attacked it not only can prevent individuals and organisations from connecting to the right website, but can also flood sites with traffic and cause them to crash, as in the case of a DoS attack.

DNS protocols and software are potentially subject to security breaches that can cripple the network, reveal confidential internal information and even turn an entire corporate network into one huge botnet. Simply put, if the DNS server is compromised, the business is too, risking loss of revenue and potentially irreparable damage to its reputation and business relationships.

TRP: Can't DNS attacks be avoided with traditional endpoint security and if not, why not?

DW: Traditional endpoint security solutions are designed to secure the endpoint on the network that has been created by a device. They include antivirus, antispyware, firewalls and host intrusion prevention systems that validate user credentials and scan the device to make sure that it complies with defined corporate security policies before allowing access to the network.

They don't, however, protect the DNS server itself. This means that businesses need to protect themselves from cyber criminals that try to abuse and manipulate the DNS server software so that it contains bogus or fraudulent IP addresses.

If the hack is successful, the targeted name server then responds to client requests with these phony IP addresses. The misdirected client then communicates with the wrong servers, which are potentially owned and controlled by the hackers themselves.

TRP: What are the advantages of using multiple DNS engines in the same server appliance and why won't they be affected by a full on DoS attack?

DW: Hybrid DNS technology provides the highest-level of security for name servers because it makes their security footprint baffling to hackers. It achieves this by running a different type of algorithm for each DNS engine.

Having an active DNS engine running plus at least one alternative DNS engine ready for use, has several benefits; when a new security alert is issued, a network owner can quickly and temporarily switch to another engine.