HostExploit has indicated that open and misconfigured DNS resolvers can be used in amplified distributed denial-of-service...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
(DDoS) attacks. How can an organization tell if its DNS resolvers are being used for such attacks, and how can DNS resolvers be secured?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
The domain name system (DNS) is one of the most critical services keeping the Internet working, but it's also been one of the most popular targets for attackers. DNS resolvers are the servers that client systems use to resolve domain names. There are around 10 million DNS resolvers. As HostExploit notes in its World Hosts Report, many of these DNS resolvers are misconfigured and can be used in a DDoS DNS amplification attack, which involves misconfigured servers being tricked into sending large DNS responses in order to overwhelm a target's network connection.
To detect whether DNS resolvers are being abused, an organization can use an intrusion detection system (IDS) to detect malformed DNS packets or review the logs of the DNS server. The network or logs can be monitored to look for malicious hosts making a large number of queries in a short period of time or requesting the same name with a large DNS response multiple times from the same IP. Such attacks can also be detected by monitoring bandwidth for a significant amount of traffic sent to a specific IP or network.
Google provides details on the security of their public DNS resolvers and outlines steps that can be taken to secure DNS. Cisco also has a DNS best practice guide that outlines its security recommendations. Both offer recommendations for securing DNS resolvers, but one of the key steps to preventing DNS resolvers from being used to amplify a DDoS attack using forged source IPs is for ISPs to prevent IP spoofing. Organizations should check with their ISPs to ensure the necessary spoofing protections are in place and see if they are following the Internet Egnineering Task Force's BCP38. IP spoofing can be severely limited by ISPs restricting their customers to only sending packets using their approved IP network addresses. By stopping IP spoofing, the DNS servers can be prevented from participating in a DDoS attack by forcing all of the DNS traffic to be sent to a legitimate requestor.
Dig Deeper on Web Server Threats and Countermeasures
Related Q&A from Nick Lewis
The new Trochilus RAT can avoid detection in cyberespionage attacks. Expert Nick Lewis explains how it works, and if enterprises need to adapt their ...continue reading
The Asacub Trojan has new banking malware features. Expert Nick Lewis explains how it made this transition and what enterprises should be watching ...continue reading
BlackEnergy malware may have been part of the attacks on Ukrainian utility and media companies. Expert Nick Lewis explains how this malware works and...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.