HostExploit has indicated that open and misconfigured DNS resolvers can be used in amplified distributed denial-of-service...
(DDoS) attacks. How can an organization tell if its DNS resolvers are being used for such attacks, and how can DNS resolvers be secured?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
The domain name system (DNS) is one of the most critical services keeping the Internet working, but it's also been one of the most popular targets for attackers. DNS resolvers are the servers that client systems use to resolve domain names. There are around 10 million DNS resolvers. As HostExploit notes in its World Hosts Report, many of these DNS resolvers are misconfigured and can be used in a DDoS DNS amplification attack, which involves misconfigured servers being tricked into sending large DNS responses in order to overwhelm a target's network connection.
To detect whether DNS resolvers are being abused, an organization can use an intrusion detection system (IDS) to detect malformed DNS packets or review the logs of the DNS server. The network or logs can be monitored to look for malicious hosts making a large number of queries in a short period of time or requesting the same name with a large DNS response multiple times from the same IP. Such attacks can also be detected by monitoring bandwidth for a significant amount of traffic sent to a specific IP or network.
Google provides details on the security of their public DNS resolvers and outlines steps that can be taken to secure DNS. Cisco also has a DNS best practice guide that outlines its security recommendations. Both offer recommendations for securing DNS resolvers, but one of the key steps to preventing DNS resolvers from being used to amplify a DDoS attack using forged source IPs is for ISPs to prevent IP spoofing. Organizations should check with their ISPs to ensure the necessary spoofing protections are in place and see if they are following the Internet Egnineering Task Force's BCP38. IP spoofing can be severely limited by ISPs restricting their customers to only sending packets using their approved IP network addresses. By stopping IP spoofing, the DNS servers can be prevented from participating in a DDoS attack by forcing all of the DNS traffic to be sent to a legitimate requestor.
Dig Deeper on Web Server Threats and Countermeasures
Related Q&A from Nick Lewis
Vonteera adware has the ability to disable antimalware software on endpoint devices. Expert Nick Lewis explains how enterprises can prevent this ...continue reading
ModPOS, a new POS malware, compromised millions of credit card accounts in 2015. Expert Nick Lewis explains how cybercriminals use this malware and ...continue reading
Amex cards have been discovered to be vulnerable to credit card hacking. Expert Nick Lewis explains how this happens, and what can be done about Chip...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.