Monday, 13 January 2025
22.7 C
Durban

Tactics for DNS infrastructure defense

Home Engineering ICT Tactics for DNS infrastructure defense

FOR something so important, many businesses take a lot of the services provided by Domain Name System (DNS) for granted. But DNS availability is critical for anyone providing services or content across the internet.

That’s according to testing and measurement specialists Comtest, which cited a number of high-profile, high-impact attacks against DNS over the years.

“For example, the 2016 Mirai attacks against DNS service provider DYN impacted millions of users of services such as Netflix,” the company said in a statement.

There are several types of common DNS attacks. The Mirai attackers used a distributed denial-of-service (DDoS) attack to make DNS unavailable. Using a technique known as Water Torture, the attackers used a botnet to generate DNS queries for millions of random hosts, putting a huge load on the DNS infrastructure and rendering it unavailable for genuine user queries.

“Bad actors can also leverage DNS to attack third-party targets by using reflection or amplification attacks to generate large-scale volumetric attacks,” the company warned.

A DNS reflection/amplification attack uses a botnet to generate DNS queries using the source IP address of the intended DDoS victim.

The DNS servers innocently send their large volume of responses back to the victim, creating traffic volume as much as 10 to 100 times higher than that generated by the original botnet. Once the limits on bandwidth for the network, server, or application are reached, the circuit becomes unavailable.

Comtest recommends the following tactics to build a holistic defense strategy for defending against DNS DDoS attacks:

  • Current threat intelligence. Threat intelligence is a crucial tool for DDoS detection and mitigation. Security personnel and DNS administrators must not only be aware of the latest DNS exploits but also understand how the exploit works, and what it does to fully understand the impact on DNS infrastructure.
  • Regular audits.  Proper maintenance is critical. Organizations must include DNS infrastructure in periodic, realistic tests of the organization’s DDoS mitigation plan, as well as regularly audit and properly configure DNS servers.
  • Network visibility. Companies must be able to quickly detect abnormal DNS traffic, including both application-layer and volumetric reflection/amplification DNS vector attacks. To accomplish this, you will need visibility and fast detection at Layer-3/4 and Layer-7 of the network.
  • Orchestrated mitigation.  Companies can orchestrate multiple methods of mitigation, including their own network infrastructure, dedicated DDoS migration products, and for network operators, information sharing with other operators. By implementing such an orchestrated mitigation strategy, companies can strategically assign different methods of mitigation to different attack vectors.

Most Popular

DCT private partner denied leave to appeal interdict, looks to March for resolution

INTERNATIONAL Container Terminal Services Inc. (ICTSI) said it is disappointed by today’s decision by the KwaZulu-Natal High Court to deny ICTSI's application for leave...

Telco boosts regional security to overcome base station vandalism and theft

THE holiday season is typically a time of the year when criminal syndicates go on overdrive committing acts of criminality, according to Vodacom. In...

Local comms company rebrands as telco, expands offering

COMMUNICATIONS business Analog and Digital (AnD) has rebranded to Telviva following Telviva’s successful acquisition of the business. The rebrand reflects the business’s evolution from...

Printing quality and creativity celebrated

SAPPI Southern Africa’s 2023 annual report and 2023 and 2024 corporate calendars were awarded Gold for print excellence at the recent prestigious GAPP Awards...
رومابت ماه بت پین باهیس bettingmagazine.org بت کارت یاس بت یک بت مگاپاری اونجابت آلوین بت betboro بت فا 1win بت وینر 4shart.com 1xbet giriş وان کیک بت وین بت ریتزو بت وان ایکس بت بت فوروارد