Companies Under Threat Of DNS Attacks Must Measure ‘Risk Appetite’
By Mark Stone
The crippling cyberattacks against Dyn last year caused many companies to recognize the vulnerability of domain name systems, or DNS.
Massive corporations like Twitter, Netflix and Amazon were temporarily inaccessible because they depended on Dyn as a DNS service to connect their customers to their websites.
Dyn in October suffered a distributed-denial-of-service (DDoS) attack, which involve a network of infected computers working in concert to bombard a server with traffic until it collapses under the strain.
The Mirai botnet used in the Dyn attack was noteworthy for its conscription of internet-connected devices, such as digital cameras and DVD players, revealing what can happen when a flaw in the Internet of Things is exploited.
Like other forms of DDoS attacks, DNS attacks can hurt you, and they can be costly. For each minute of downtime, thousands of dollars in revenue may be lost.
A recent survey from Neustar, a global information services provider, found that in 63 percent of DDoS attacks, companies lost at least $100,000 per hour during peak use periods.
Water Torture Attack
There are many variations of DNS attacks, and one of them — DNS Water Torture — stands out for its stealth.
Martin McKeay, senior security advocate at Akamai Technologies, explains that this attack can overload a DNS server with a wave of random string requests created by systems in a botnet.
It works by tricking DNS servers used by internet service providers around the world into launching attacks against authoritative DNS servers used by enterprises. And when those enterprise DNS servers are flooded with requests, they stop responding — and your customers are unable to reach your website.
“Traditional defenses aren’t going to protect against it,” McKeay said. “If your DNS server has too much of a load, then real requests can’t come in, resources are tied up and your company goes offline.”
Most people are not familiar with this type of attack, he said, but they need to prepare for it.
DNS Defense Mechanisms
While many companies rely on just one external service provider for DNS, McKeay suggests that one of the best prevention measures is to deploy two or more. The attacks on Dyn demonstrated what can happen when a backup doesn’t exist.
The extent to which you need to protect yourself from a DNS-like attack depends on the nature of your business. If your company depends on its website or internet-enabled service as its lifeblood, extra precautions are likely needed. Just how necessary, however, is a question companies must answer for themselves, according to McKeay.
“Your business must decide what your risk appetite is,” he said. “Can you survive 95 percent of the attacks out there? Or, do you need to protect yourself from everything?”
Downtime suffered due to a Water Torture attack can take an enormous financial toll. For some companies, the cost of 15 minutes of downtime can justify several years of protection.
The Neustar study, which surveyed 849 organizations spanning retail, finance and technology sectors, revealed that $2.2 billion was collectively lost because of DDoS attacks during the past 12 months, averaging $2.5 million for each organization.
For today’s chief security officer or chief information officer, focusing on the core building blocks of security is paramount, regardless of whether defensive measures are meant to prevent the DNS Water Torture attack or other threats.
“Don’t worry about the next big thing or buying a shiny box,” McKeay advised. “Keep up to date, be aware of what’s going on and have the personal drive to stay educated.”
Mark Stone worked in information technology for many years before deciding to make a career out of writing about it. He lives in Canada.