This content is part of the Essential Guide: How to attack DDoS threats with a solid defense plan
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

DDoS attacks on your DNS provider: Developing a response strategy

Learn from DNS provider NS1's experience with a DDoS attack. Expert Kevin Beaver has tips on developing a mitigation response for a DNS outage in your own enterprise.

Many enterprises have pondered -- and experienced -- what can happen when a targeted distributed denial-of-service attack is run against their systems. Over the years, there have been many cases of seemingly resilient organizations that have had their core online presence literally wiped off the face of the internet via distributed denial-of-service attacks.

Specific systems being taken offline is one thing; however, have you thought about what would happen if your enterprise's entire domain name system functionality were to go away? With domain name systems (DNSes) essentially being the circulatory system of the internet (and your business), it's hard to imagine many organizations surviving without it for very long.
In a recent DDoS attack, managed DNS provider NS1 and its customers suffered such an outage. Apparently, what started with volume-intensive attacks quickly became direct DNS lookup attacks that ended up creating sustained DNS problems. If it can happen to a DNS provider such as NS1, it can happen to anyone.

The approach to handling DDoS attacks has, in large part, evolved into increasing capacity to effectively spread the load around multiple systems in order to better absorb the impact. One NS1 blog post, one of the best I've ever seen released by a vendor coming under attack, outlined various DDoS mitigation strategies, with the most reasonable and effective ones for the typical enterprise being:

  • Have DNS service through two independent networks.
  • Work with anti-distributed denial-of-service vendors.
  • Ensure maximum visibility through system monitoring and alerting, ideally through a third-party managed security service provider.

However, I believe the most important part of this discussion falls into the category of "experience is something that you don't get until just after you need it." A smarter approach to denial-of-service-related incident response is thinking in advance what the worst-case scenario is and then taking the steps necessary to make sure that it doesn't happen. This approach is called "minimax" regret analysis; you minimize your maximum regret.

Oddly enough, there are still organizations, including large enterprises, that have yet to find or resolve relatively basic DDoS-related weaknesses. Some of these weaknesses are as obvious as those that come out of vulnerability scanning and penetration testing, such as DNS traffic amplification and DNS recursive queries being enabled. These vulnerabilities exist on routers, firewalls and servers that are exposed to the internet and, thus, denial-of-service. Be it for your DNS provider or for internally based DNS, here's what you can do starting today to minimize the impact of a DNS-focused DDoS attack:

  • Look for the low-hanging fruit, i.e., the DNS vulnerabilities mentioned above.
  • From a network architecture point of view, look at how the DNS service operates within your environment and determine specific choke points and single points of failure, including cloud services and business partner connections.
  • Have a discussion with your internet, hosting, cloud and DNS service providers and ask them what mitigation strategies they have in place to minimize such risks.
  • Based on the information you gather, determine what else needs to be done, such as adding an additional DNS provider, signing up for an anti-DDoS vendor's service and so on.
  • Perhaps most importantly, document your standards for these DNS mitigation strategies and technologies, as well as your procedures for handling such events, directly in your incident response plan or business continuity plan.
  • Perform simulated tabletop (or real) exercises to determine where you're still weak. Go about resolving the weaknesses you uncover, and then make denial-of-service and incident response testing part of your ongoing information security program.

One of the best gifts you can ever receive to help with minimizing your security risks is the ability to review someone else's incident. Review what happened to NS1 and other DNS providers moving forward. Consider what happened to them in their scenario and how it might apply to your situation. Finally, ensure you have the proper security controls in place to address such events. Remember that your overall goal is not to fully eliminate the risk, but rather to minimize its impact on your organization.

Next Steps

Learn how your enterprise can effectively mitigate DDoS attacks

Find out how DDoS attacks have evolved

Read about preventing DDoS attacks that bypass DNS rerouting

This was last published in August 2016

Dig Deeper on DDoS attack detection and prevention