With all this talk about DNS amplification attacks and DNS reflection attacks, is it correct to say there is not
much an organization can do to protect against such attacks, as this is normal DNS functionality? Also, what planning exercises can be done prior to such attacks to recover faster and get back online?
Ask the expert
Perplexed about enterprise threats? Send your enterprise threats questions today! (All questions are anonymous.)
I addressed how to secure different parts of the DNS ecosystem in previous questions on secure DNS resolvers and preventing DNS reflection attacks. Both of these are types of denial-of-service (DoS) attacks that use weaknesses in the DNS ecosystem and require enterprise incident response to address them properly. However, planning exercises to help incident response teams prepare for a security incident involving the domain name system (DNS) is valuable to help properly secure an organization. This preparation is critical for both discovering attacks and responding to them faster so that businesses can get back online sooner.
To detect a DNS server participating in a denial of service attack, an organization should consistently monitor its systems for potentially suspicious activities including:
- DNS client connections from uncommon source IPs
- A large number of connections from an IP or subnet
- An unexplained dramatic increase in queries served
- Queries for nonexistent domain names
- Alerts from an intrusion detection system/intrusion prevention system
Any or all of the aforementioned attack methods could be used by a hacker to compromise the security of the DNS ecosystem. If any of these suspicious activities are detected, the system in question should be investigated to determine if it is participating in a DoS attack and requires incident response.
Since most DNS traffic is User Datagram Protocol, it is easier for hackers to perform malicious actions on the UDP connection, but the same tools can be used to detect the attacks.
Attacks on DNS only further support the need for the basic best practice of backing up the DNS database to ensure it is not corrupted. If an attack is uncovered, recovering to a known good state is critical for incident response.
As an aside, even though this particular question deals with two specific types of DNS attacks, note that there are other types of DNS attacks that might be more difficult for enterprises to detect, such as a DNS cache poisoning attack or detecting unauthorized changes in DNS records. So be sure not to inadvertently narrow the scope of your DNS risk assessment efforts.
Dig deeper on Monitoring Network Traffic and Network Forensics
Related Q&A from Nick Lewis, Enterprise Threats
Researchers reportedly succeeded in extracting decryption keys using sound-based attacks. Is this a threat enterprises should worry about?continue reading
The amount of malware using peer-to-peer communications has increased dramatically. Enterprise threats expert Nick Lewis explains how to detect P2P ...continue reading
Cloaked malware, like DGA.Changer, can reportedly evade sandbox detection. Nick Lewis explains how to handle the risk.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.