HostExploit has indicated that open and misconfigured DNS resolvers can be used in amplified distributed denial-of-service...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
(DDoS) attacks. How can an organization tell if its DNS resolvers are being used for such attacks, and how can DNS resolvers be secured?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
The domain name system (DNS) is one of the most critical services keeping the Internet working, but it's also been one of the most popular targets for attackers. DNS resolvers are the servers that client systems use to resolve domain names. There are around 10 million DNS resolvers. As HostExploit notes in its World Hosts Report, many of these DNS resolvers are misconfigured and can be used in a DDoS DNS amplification attack, which involves misconfigured servers being tricked into sending large DNS responses in order to overwhelm a target's network connection.
To detect whether DNS resolvers are being abused, an organization can use an intrusion detection system (IDS) to detect malformed DNS packets or review the logs of the DNS server. The network or logs can be monitored to look for malicious hosts making a large number of queries in a short period of time or requesting the same name with a large DNS response multiple times from the same IP. Such attacks can also be detected by monitoring bandwidth for a significant amount of traffic sent to a specific IP or network.
Google provides details on the security of their public DNS resolvers and outlines steps that can be taken to secure DNS. Cisco also has a DNS best practice guide that outlines its security recommendations. Both offer recommendations for securing DNS resolvers, but one of the key steps to preventing DNS resolvers from being used to amplify a DDoS attack using forged source IPs is for ISPs to prevent IP spoofing. Organizations should check with their ISPs to ensure the necessary spoofing protections are in place and see if they are following the Internet Egnineering Task Force's BCP38. IP spoofing can be severely limited by ISPs restricting their customers to only sending packets using their approved IP network addresses. By stopping IP spoofing, the DNS servers can be prevented from participating in a DDoS attack by forcing all of the DNS traffic to be sent to a legitimate requestor.
Dig Deeper on Web Server Threats and Countermeasures
Related Q&A from Nick Lewis
Locky ransomware has, again, changed tactics by moving to using LNK files for distribution. Expert Nick Lewis explains how enterprises can adjust ...continue reading
Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime ...continue reading
Drammer, or a deterministic Rowhammer attack, was found to be more effective on ARM-based mobile devices. Expert Nick Lewis explains the issue with ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.