Assaults towards the Area Identify System (DNS) are quite a few and assorted, so organizations should depend on layers of protecting measures, similar to visitors monitoring, menace intelligence, and superior community firewalls, to behave in live performance. With NXDOMAIN assaults on the rise, organizations have to strengthen their DNS defenses.
With the launch of Defend NS53, Akamai joins a rising record of safety distributors with DNS instruments able to defending towards NXDOMAIN assaults. The brand new service extends Akamai’s Edge DNS applied sciences within the cloud to on-premises deployments.
In an NXDOMAIN assault — often known as a DNS Water Torture DDoS assault — adversaries overwhelm the DNS server with a big quantity of requests for nonexistent (therefore the NX prefix) or invalid domains and subdomains. The DNS proxy server makes use of up most, if not all, of its sources querying the DNS authoritative server, to the purpose the place the server not has the capability to deal with any requests, respectable or bogus. Extra junk queries hitting the server means extra sources — server CPU, community bandwidth, and reminiscence — wanted to deal with them, and bonafide requests take longer to course of. When individuals cannot attain the web site due to NXDOMAIN errors, that interprets to probably misplaced prospects, misplaced income, and reputational harm.
NXDOMAIN has been a typical assault vector for a few years, and is changing into a much bigger drawback, says Jim Gilbert, Akamai’s director of product administration. Akamai noticed 40% of general DNS queries for its high 50 monetary providers prospects contained NXDOMAIN information final yr.
Beefing Up DNS Safety
Whereas it’s theoretically doable to defend towards DNS assaults by including extra capability — extra sources means it takes bigger and longer assaults to knock down the servers — it’s not a financially viable or scalable technical method for many organizations. However they will beef up their DNS safety in different methods.
Enterprise defenders want to ensure they perceive their DNS setting. This implies documenting the place DNS resolvers are at present deployed, how on-premises and cloud sources work together with them, and the way they make use of superior providers, similar to Anycast, and DNS safety protocols.
“There could possibly be good compliance causes that enterprises need to preserve their unique DNS belongings on premises,” says Akamai’s Gilbert, noting that Defend NS53 permits enterprises so as to add protecting controls whereas protecting current DNS infrastructure intact.
Defending DNS also needs to be a part of an general distributed denial-of-service (DDoS) prevention technique, since many DDoS assaults start with DNS exploits. Almost two-thirds of DDoS assaults final yr used some type of DNS exploits final yr, in line with Akamai.
Earlier than buying something, safety managers want to grasp each the scope and limitations of the potential answer they’re evaluating. For instance, whereas Palo Alto’s DNS safety providers cowl a large assortment of DNS exploits moreover NXDOMAIN, prospects get that broad safety provided that they’ve the seller’s subsequent era firewall and subscribe to its menace prevention service.
DNS defenses also needs to tie into a sturdy menace intelligence service in order that defenders can determine and reply rapidly to potential assaults and cut back false positives. Distributors similar to Akamai, Amazon Net Companies, Netscout, Palo Alto, and Infoblox function giant telemetry-gathering networks that assist their DNS and DDoS safety instruments spot an assault.
The Cybersecurity and Infrastructure Safety Company has put collectively a sequence of really useful actions that features including multifactor authentication to the accounts of their DNS directors, in addition to monitoring certificates logs and investigating any discrepancies.