Defending DNS Against DDoS Attacks to Protect Reputation, Revenue and Customers

Recent research shows a record-breaking number of DDoS attacks took place in the first half of 2021.  Estimated at 5.4 million, this represents a rise of 11 percent year-on-year. This increased frequency is coupled with ever-evolving attack strategies designed to find exploitable loopholes that allow attackers in. 

DDoS attacks are not new, but this doesn’t make them any less of a threat. In fact, for many organizations, along with the detrimental impact on their reputation, the financial costs in terms of overages, a drop in production and missed revenue due to downtime can reach into the hundreds of thousands depending on the length of the attack.

The pandemic has heightened our reliance on digital services to do everything from work to shopping to entertainment and has presented rich pickings to attackers. Once attackers were motivated by creating maximum disruption and potentially damaging the companies they targeted, they increasingly launch attacks in the expectation they would be paid to desist.

In general, however, DDoS attacks have flourished due to the plethora of new devices, the expansion of networks that can be targeted and the ease with which bad actors can access attacks through the dark web. 

The Inextricable Link Between DDoS and DNS

Many DDoS attacks attempt to overwhelm a DNS server with queries to render it so inundated that it cannot respond to legitimate requests.  Attacks can target different layers of application architecture, one of which is DNS. Still, they share the same strategy and, if successful, the sheer volume of traffic will render the server and all the websites and applications connected to it inaccessible or inoperable. Typically, “botnets” or large groups of compromised devices ranging from home routers to ‘smart fridges’ are used to flood the targeted server remotely.

The DNS is the main point of control when it comes to orchestrating cloud services and application traffic. Organizations rely on it to provide high-performance digital services to users in the right location at the right time. It’s no coincidence that over the past eighteen months, many of the high-profile companies hit by DDoS attacks have been those we were most reliant on during the pandemic. In April, Microsoft said that its Azure DNS service was overwhelmed by an attack that caused a global outage making vital online services, such as Office, Teams, Skype and Xbox Live, impossible to access. Two months later, Amazon reported that it had fended off the most significant attack in history.

Using Resiliency, Anycast and Filtering to Prevent DDoS Attacks

Any organization hosting a website and providing a service via the internet is susceptible to attack. The goal isn’t to stop the attack but to mitigate the impact when it happens.

Companies can build resiliency by ensuring always-on, redundant DNS is in place. This allows a second DNS network using separate infrastructure to be deployed in an attack that compromises the primary DNS. Overprovisioning or using Dedicated DNS will also help to absorb traffic spikes.

Another solution is to leverage anycast DNS protocols. These enable DNS requests to be diverted to an available server to guard against the impact of an attack on resources or due to cloud resource overload or CDN outages which many providers have experienced over the last year. In addition, companies can make use of real-time data about network conditions to dynamically load balance between resources in the event of traffic spikes due to attacks. 

Another consideration is to use authentication and access management tools, such as two-factor authentication and single sign-on. Companies that deploy scripts or APIs to update DNS must use strong authentication keys and restrict key usage to valid sources only (i.e., IP whitelisting for DNS registrars, DNS control panels and APIs). Analytics enable companies to audit any changes to sensitive DNS records and tie audit logging of their DNS vendor into their SIEM or other monitoring systems.

Given the costs that companies so often face because of DDoS attacks, planning ahead is wise. DNS providers can help by offering overage protection to help with unexpected cost increases due to attacks and delivering peace of mind ensuring you have a backup plan.

Building DNS Defense Against the Rising Tide of Risk

Certainly, DDoS attacks will continue to rise. They are cheaper and easier for bad actors to carry out, while simultaneously, our increasing dependence on digital services makes their potential impact even more catastrophic. 

DNS should be pushed up the security agenda, encouraging the C-suite to acknowledge the threat and reconsider the options available to shore up the DNS. No organization can afford the risks of poor performance or outages, so the availability and stability of DNS deployments must be safeguarded. There’s no room for compromise, given the threat to revenue and reputation.

What’s Hot on Infosecurity Magazine?