With all this talk about DNS amplification attacks and DNS reflection attacks, is it correct to say there is not...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
much an organization can do to protect against such attacks, as this is normal DNS functionality? Also, what planning exercises can be done prior to such attacks to recover faster and get back online?
Ask the expert
Perplexed about enterprise threats? Send your enterprise threats questions today! (All questions are anonymous.)
I addressed how to secure different parts of the DNS ecosystem in previous questions on secure DNS resolvers and preventing DNS reflection attacks. Both of these are types of denial-of-service (DoS) attacks that use weaknesses in the DNS ecosystem and require enterprise incident response to address them properly. However, planning exercises to help incident response teams prepare for a security incident involving the domain name system (DNS) is valuable to help properly secure an organization. This preparation is critical for both discovering attacks and responding to them faster so that businesses can get back online sooner.
To detect a DNS server participating in a denial of service attack, an organization should consistently monitor its systems for potentially suspicious activities including:
- DNS client connections from uncommon source IPs
- A large number of connections from an IP or subnet
- An unexplained dramatic increase in queries served
- Queries for nonexistent domain names
- Alerts from an intrusion detection system/intrusion prevention system
Any or all of the aforementioned attack methods could be used by a hacker to compromise the security of the DNS ecosystem. If any of these suspicious activities are detected, the system in question should be investigated to determine if it is participating in a DoS attack and requires incident response.
Since most DNS traffic is User Datagram Protocol, it is easier for hackers to perform malicious actions on the UDP connection, but the same tools can be used to detect the attacks.
Attacks on DNS only further support the need for the basic best practice of backing up the DNS database to ensure it is not corrupted. If an attack is uncovered, recovering to a known good state is critical for incident response.
As an aside, even though this particular question deals with two specific types of DNS attacks, note that there are other types of DNS attacks that might be more difficult for enterprises to detect, such as a DNS cache poisoning attack or detecting unauthorized changes in DNS records. So be sure not to inadvertently narrow the scope of your DNS risk assessment efforts.
Dig Deeper on Monitoring Network Traffic and Network Forensics
Related Q&A from Nick Lewis
When it comes to state-sponsored attacks infecting mobile devices, do users have any chance of tracing the attack? Expert Nick Lewis offers some ...continue reading
Microsoft won't patch certain ASLR bypass flaws, but enterprises still need to protect against them. Expert Nick Lewis explains the threat and how to...continue reading
Threat actors in China are using VPN services to hide and anonymize their attacks. Expert Nick Lewis explains how to get a handle on these ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.