With all this talk about DNS amplification attacks and DNS reflection attacks, is it correct to say there is not much an organization can do to protect against such attacks, as this is normal DNS functionality? Also, what planning exercises can be done prior to such attacks to recover faster and get back online?
Ask the expert
Perplexed about enterprise threats? Send your enterprise threats questions today! (All questions are anonymous.)
I addressed how to secure different parts of the DNS ecosystem in previous questions on secure DNS resolvers and preventing DNS reflection attacks. Both of these are types of denial-of-service (DoS) attacks that use weaknesses in the DNS ecosystem and require enterprise incident response to address them properly. However, planning exercises to help incident response teams prepare for a security incident involving the domain name system (DNS) is valuable to help properly secure an organization. This preparation is critical for both discovering attacks and responding to them faster so that businesses can get back online sooner.
To detect a DNS server participating in a denial of service attack, an organization should consistently monitor its systems for potentially suspicious activities including:
- DNS client connections from uncommon source IPs
- A large number of connections from an IP or subnet
- An unexplained dramatic increase in queries served
- Queries for nonexistent domain names
- Alerts from an intrusion detection system/intrusion prevention system
Any or all of the aforementioned attack methods could be used by a hacker to compromise the security of the DNS ecosystem. If any of these suspicious activities are detected, the system in question should be investigated to determine if it is participating in a DoS attack and requires incident response.
Since most DNS traffic is User Datagram Protocol, it is easier for hackers to perform malicious actions on the UDP connection, but the same tools can be used to detect the attacks.
Attacks on DNS only further support the need for the basic best practice of backing up the DNS database to ensure it is not corrupted. If an attack is uncovered, recovering to a known good state is critical for incident response.
As an aside, even though this particular question deals with two specific types of DNS attacks, note that there are other types of DNS attacks that might be more difficult for enterprises to detect, such as a DNS cache poisoning attack or detecting unauthorized changes in DNS records. So be sure not to inadvertently narrow the scope of your DNS risk assessment efforts.
Dig Deeper on Real-time network monitoring and forensics
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading