Manage Learn to apply best practices and optimize your operations.

Incident response planning for DNS attacks against enterprises

Practicing incident response for a DNS attack will help enterprises recover faster. Nick Lewis offers incident response planning best practices.

With all this talk about DNS amplification attacks and DNS reflection attacks, is it correct to say there is not much an organization can do to protect against such attacks, as this is normal DNS functionality? Also, what planning exercises can be done prior to such attacks to recover faster and get back online?

Ask the expert

Perplexed about enterprise threats? Send your enterprise threats questions today! (All questions are anonymous.)

I addressed how to secure different parts of the DNS ecosystem in previous questions on secure DNS resolvers and preventing DNS reflection attacks. Both of these are types of denial-of-service (DoS) attacks that use weaknesses in the DNS ecosystem and require enterprise incident response to address them properly. However, planning exercises to help incident response teams prepare for a security incident involving the domain name system (DNS) is valuable to help properly secure an organization. This preparation is critical for both discovering attacks and responding to them faster so that businesses can get back online sooner.

To detect a DNS server participating in a denial of service attack, an organization should consistently monitor its systems for potentially suspicious activities including:

  • DNS client connections from uncommon source IPs
  • A large number of connections from an IP or subnet
  • An unexplained dramatic increase in queries served
  • Queries for nonexistent domain names
  • Alerts from an intrusion detection system/intrusion prevention system

Any or all of the aforementioned attack methods could be used by a hacker to compromise the security of the DNS ecosystem. If any of these suspicious activities are detected, the system in question should be investigated to determine if it is participating in a DoS attack and requires incident response.

Since most DNS traffic is User Datagram Protocol, it is easier for hackers to perform malicious actions on the UDP connection, but the same tools can be used to detect the attacks.

Attacks on DNS only further support the need for the basic best practice of backing up the DNS database to ensure it is not corrupted. If an attack is uncovered, recovering to a known good state is critical for incident response.

As an aside, even though this particular question deals with two specific types of DNS attacks, note that there are other types of DNS attacks that might be more difficult for enterprises to detect, such as a DNS cache poisoning attack or detecting unauthorized changes in DNS records. So be sure not to inadvertently narrow the scope of your DNS risk assessment efforts.

This was last published in March 2014

Dig Deeper on Real-time network monitoring and forensics