EDITOR’S QUESTION
types of attacks. As DNS uses UDP
(connectionless) it is an easy and effective
way to bounce and amplify attack traffic
off many Internet-based DNS servers
against, for example, your web server.
This involves swamping your site with
unwanted traffic that needs to be handled
by your Internet connections, routers and
firewalls that ultimately are overwhelmed
and forcing you offline – not just your
websites, but any other associated
Internet traffic, from emails to VPNs.
But DNS is not just restricted to being
utilised for large, headline grabbing DDOS
attacks. It is also leveraged for data
exfiltration, being used as a carrier to
piggyback data from within compromised
networks to Command and Control servers
located on the other side of the planet.
RICHARD MEEUS, SECURITY,
TECHNOLOGY AND STRATEGY
DIRECTOR, AKAMAI
As DNS is often unchecked, especially
leaving an organisation, this is a simple
but effective way to syphon off critical
data without being detected.
Lastly there is the integrity of the DNS
itself. Consumers blindly query these
servers for the IP address for their
favourite sites and assume that the
answer is going to be correct.
he Domain Name Service
(DNS) has been around
for so long that it is
almost taken for granted.
However, without it,
much, if not all, of the
world’s Internet experience would be dead
in the water.
T
It’s ubiquitousness means that it can be
easily leveraged for malicious intent if
not checked and protected. The infamous
DDOS attack against a major DNS provider
in 2016 that forced many organisations
completely or partially offline e.g. Netflix,
CNN, BBC, Visa – highlighted how
vulnerable and integral, in equal measure,
DNS is to how the world operates online.
Not only is DNS frequently the target,
it is also the delivery vector for many
www.intelligentdatacentres.com
AS DNS IS OFTEN
UNCHECKED,
ESPECIALLY
LEAVING AN
ORGANISATION,
THIS IS A SIMPLE
BUT EFFECTIVE
WAY TO SYPHON
OFF CRITICAL
DATA WITHOUT
BEING DETECTED.
Man-in-the-middle attacks – where the
DNS request is intercepted between the
client and the DNS server, and supplying
false IP addresses and routing traffic to
rogue and malicious sites, is an example
of an attack where the DNS’ integrity can
be compromised.
Features such as DNSSEC allow the user
to receive a digitally signed record from
the DNS server ensuring them that the
data is valid.
DNS is key to the interaction with the
Internet and unless your records are
resilient, redundant and secured there
will always be a risk of compromise. In
addition, just as many organisations check
traffic entering their network, they should
equally apply the same level of integrity to
DNS queries leaving their network.
Issue 09
31