HostExploit has indicated that open and misconfigured DNS resolvers can be used in amplified distributed denial-of-service...
(DDoS) attacks. How can an organization tell if its DNS resolvers are being used for such attacks, and how can DNS resolvers be secured?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
The domain name system (DNS) is one of the most critical services keeping the Internet working, but it's also been one of the most popular targets for attackers. DNS resolvers are the servers that client systems use to resolve domain names. There are around 10 million DNS resolvers. As HostExploit notes in its World Hosts Report, many of these DNS resolvers are misconfigured and can be used in a DDoS DNS amplification attack, which involves misconfigured servers being tricked into sending large DNS responses in order to overwhelm a target's network connection.
To detect whether DNS resolvers are being abused, an organization can use an intrusion detection system (IDS) to detect malformed DNS packets or review the logs of the DNS server. The network or logs can be monitored to look for malicious hosts making a large number of queries in a short period of time or requesting the same name with a large DNS response multiple times from the same IP. Such attacks can also be detected by monitoring bandwidth for a significant amount of traffic sent to a specific IP or network.
Google provides details on the security of their public DNS resolvers and outlines steps that can be taken to secure DNS. Cisco also has a DNS best practice guide that outlines its security recommendations. Both offer recommendations for securing DNS resolvers, but one of the key steps to preventing DNS resolvers from being used to amplify a DDoS attack using forged source IPs is for ISPs to prevent IP spoofing. Organizations should check with their ISPs to ensure the necessary spoofing protections are in place and see if they are following the Internet Egnineering Task Force's BCP38. IP spoofing can be severely limited by ISPs restricting their customers to only sending packets using their approved IP network addresses. By stopping IP spoofing, the DNS servers can be prevented from participating in a DDoS attack by forcing all of the DNS traffic to be sent to a legitimate requestor.
Related Q&A from Nick Lewis
As the Angler exploit kit evolves and adopts new functionality, it's becoming harder to detect and defend against. Enterprise threats expert Nick ...continue reading
A proof-of-concept attack on Apple's Siri allowed researchers to steal data from iOS. Learn more about the iStegSiri attack and how to defend against...continue reading
A new global email scam has cost enterprises millions. Expert Nick Lewis explains how to defend against man-in-the-email attacks with proper training...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.