Attacks against the Domain Name System (DNS) are numerous and varied, so organizations have to rely on layers of protective measures, such as traffic monitoring, threat intelligence, and advanced network firewalls, to act in concert. With NXDOMAIN attacks on the rise, organizations need to strengthen their DNS defenses.
With the release of Shield NS53, Akamai joins a growing list of security vendors with DNS tools capable of defending against NXDOMAIN attacks. The new service extends Akamai’s Edge DNS technologies in the cloud to on-premises deployments.
In an NXDOMAIN attack — also known as a DNS Water Torture DDoS attack — adversaries overwhelm the DNS server with a large volume of requests for nonexistent (hence the NX prefix) or invalid domains and subdomains. The DNS proxy server uses up most, if not all, of its resources querying the DNS authoritative server, to the point where the server no longer has the capacity to handle any requests, legitimate or bogus. More junk queries hitting the server means more resources — server CPU, network bandwidth, and memory — needed to handle them, and legitimate requests take longer to process. When people can’t reach the website because of NXDOMAIN errors, that translates to potentially lost customers, lost revenue, and reputational damage.
NXDOMAIN has been a common attack vector for many years, and is becoming a bigger problem, says Jim Gilbert, Akamai’s director of product management. Akamai observed 40% of overall DNS queries for its top 50 financial services customers contained NXDOMAIN records last year.
Beefing Up DNS Protection
While it is theoretically possible to defend against DNS attacks by adding more capacity — more resources means it takes larger and longer attacks to knock down the servers — it is not a financially viable or scalable technical approach for most organizations. But they can beef up their DNS protection in other ways.
Enterprise defenders need to make sure they understand their DNS environment. This means documenting where DNS resolvers are currently deployed, how on-premises and cloud resources interact with them, and how they make use of advanced services, such as Anycast, and DNS security protocols.
“There could be good compliance reasons that enterprises want to keep their original DNS assets on premises,” says Akamai’s Gilbert, noting that Shield NS53 allows enterprises to add protective controls while keeping existing DNS infrastructure intact.
Protecting DNS should also be part of an overall distributed denial-of-service (DDoS) prevention strategy, since many DDoS attacks begin with DNS exploits. Nearly two-thirds of DDoS attacks last year used some form of DNS exploits last year, according to Akamai.
Before purchasing anything, security managers need to understand both the scope and limitations of the potential solution they are evaluating. For example, while Palo Alto’s DNS security services cover a wide collection of DNS exploits besides NXDOMAIN, customers get that broad protection only if they have the vendor’s next generation firewall and subscribe to its threat prevention service.
DNS defenses should also tie into a robust threat intelligence service so that defenders can identify and respond quickly to potential attacks and reduce false positives. Vendors such as Akamai, Amazon Web Services, Netscout, Palo Alto, and Infoblox operate large telemetry-gathering networks that help their DNS and DDoS protection tools spot an attack.
The Cybersecurity and Infrastructure Security Agency has put together a series of recommended actions that includes adding multifactor authentication to the accounts of their DNS administrators, as well as monitoring certificate logs and investigating any discrepancies.
Source: www.darkreading.com