Your DNS Server Is Helping DDoS Attacks

In the first quarter of this year, it was reported that the Internet experienced a 700 percent DDoS bandwidth increase. As DDoS attacks force more bandwidth onto a target, it means that even the largest enterprise networks can succumb to over-utilization.

DDoS attacks are growing increasingly sophisticated and take advantage of dozens, hundreds, or even thousands of compromised machines that form enormous botnets. But more importantly, they increasingly makeuse of non-compromised, but misconfigured, public DNS servers. Your enterprise might be responsible for these servers.

Public DNS servers are most commonly owned and operated by Internet service providers (ISPs) or major Internet companies such as Google. But enterprise organizations that support multiple datacenters often find it valuable to run their own public DNS. There are a number of benefits to running your own public DNS server. For example, with a locally managed DNS server, you’re able to set TTLs; flush updates; build multi-site, high-availability configurations; and make other parameter adjustments.

But running a public DNS server also comes with added responsibilities. First of all, it must be designed to be highly reliable. If a public DNS server malfunctions, lots of people are going to notice. Additionally, there is a growing problem of being both a DDoS target and an oblivious accomplice in attacks. There’s not too much you can do about being targeted, but there are steps that can be made to prevent you from inadvertently assisting in an attack.

A single DNS query is a very low-bandwidth transaction. A DNS server can handle thousands of DNS requests every second and the amount of bandwidth consumed per request is typically under 512 bytes. Bandwidth ramps up with zone transfer files. Zone files contain domain name to IP address mappings for an entire domain. Depending on the size of that domain, the files can get very large. Recent DDoS attacks have taken advantage of the fact that many public DNS resolvers do not verify the source IP address for DNS requests.

Because of that, DDoS bots can request zone transfer files from thousands of DNS servers at once, giving a source IP address of the site that is under attack. The misconfigured DNS servers then send the zone files back to the target network, often overwhelming the target’s Internet bandwidth and knocking the site offline.

If your company manages a public DNS server, you may be under the false impression that it is properly set up and secured. But you may be surprised to find that the vast majority of public DNS servers are vulnerable to spoofs or other DDoS exploits. The Open DNS Resolver Project claims that they have scoured the Internet and have identified over 27 million open DNS servers. And of those, over 25 million “pose a significant threat.” That number is frightening and needs to be lowered considerably until it becomes too difficult for hackers to find open DNS servers to exploit.

So please, do your fellow Internet neighbors a favor and ensure your DNS settings are properly set. This is one way we can take a tool away from a hacker’s growing toolset. Given the increasing threats from DDOS attacks to the financial industry, it may be the entire economy you are protecting.

Tags: Technology