DOTE

Chain And Rate

Tuesday, January 19, 2016

Protecting Yourself Againts DNS Distributed Denial of Service (DDoS) Attacks

Distributed Denial of Service via DNS (DNS DDoS) is now a common network traffic attack used by various malicious actors to negatively impact business or agency operations. DNS DDOS attacks are designed to bring down DNS servers and consume network bandwidth thereby impacting critical IT applications (e.g. email, web transactions, VoIP, SaaS). For target businesses, there are two typical roles to a DNS DDoS attack: victim and accomplice. Using best practices for DNS cinfiguration and operation, you reduce your risk of being impacted by a DNS DDoS attack or being used in one.

Avoid being a victim
To avoid being a victim of a DNS DDoS attack, you must understand the components of the attack and have a plan to mitigate them. While you can never completely eliminate or mitigate DNS DDoS attacks, you can take measures to survive them and keep critical applications running. Below are some points to temper the impact of a DNS DDoS attack on your IT infrastructure :

- Over-provision DNS Servers
- Build-in High Availability
- Set Response Rate limit by Source IP Address
- Set Response Rate Limit by Destination IP Address
- Use Cloud-based Anycast Secondary Servers

Don't be an Accomplice
The Flip side of a DNS DDoS attack is the accomplice who unwillingly amplifies the attack with their DNS infrastructure. Being an accomplice in a DNS DDoS attack, while not as devastating as being the target, still impacts DNS services, network bandwidth and leaves the door open to possible litigation due to weak IT control. Simple best-practices configuration will help reduce potential litigation:

- Close your 'Open' DNS Recursive Server
- Rate Limit Responses from Authoritative Name Servers