Looking to DNS to protect against DDoS attacks

By Malcolm Murphy | 31 May 2016

Almost half of firms operating in the sector (46%) ranked cyber security as the top systemic risk to the economy, with more than 70% of banking CEOs identifying poor cyber security as a threat to growth – making cyber security as much a boardroom issue as it is a technical issue. And it’s an issue that becomes especially pressing when banks face having their ratings cut should they fail to protect themselves from attack.

New ways of working, such as virtualisation and the cloud, require firms to put new systems in place. In many cases, however, as banks concentre on improving their customer service, there may be some reluctance to spend money on the necessary IT upgrades.

As a result, legacy issues resulting from Frankenstein systems, pieced together over time and used beyond their depreciation point, can leave financial services companies having to play catch up and without the necessary protection measures in place. Indeed, according to EY, more than a third of financial organisations (36%) are unable to detect a sophisticated cyber-attack.

Soft target

At the heart of every organisation’s IT network lies the Domain Name System, or DNS. The address book of the Internet, DNS translates domain names, or website addresses, into numerical machine-readable Internet Protocol (IP) addresses. Since its invention more than 30 years ago, DNS has been continually evolving to become a core component of today’s Internet.

Unfortunately, this has made DNS one of the most attractive targets for hackers and cyber-criminals.

Every corporate network examined for a security report was found to have been compromised in some way. Despite this, more than a quarter (26%) of enterprise IT security staff recently admitted to taking no formal responsibility for the protection of their organisation’s DNS.

Such a lack of attention could be one of the main reasons for DNS being perceived by cyber-criminals as a soft target, and is arguably a key factor in the growing prevalence of DNS-based attacks.

One example, distributed denial of service (DDoS) attacks, are on the rise, with DDoS attacks against the finance industry representing 15% of all DDoS attacks reported in Q4 2015. These attacks cost banks an average $100,000 an hour, with 30% also suffering virus installation or theft as a result.

The simplicity with which DDoS attacks can be generated using DNS infrastructure is what makes them so concerning. Hackers take control of hundreds or even thousands of systems, and use a spoof IP address of their target to send queries to servers across the Internet which, in turn, send back responses.

This then overwhelms an organisation’s servers and significantly diminishes their performance - often to the point of failure.

Indeed, one recent DDoS attack on a large computer storage company’s internal DNS resulted in its full outage and its employees being sent home for four hours.

In addition, DDoS attacks can often be used as a “smoke screen” to divert a security team’s attention, leaving firms vulnerable to more sophisticated attacks.

Securing the system

Whilst there is no easy solution to securing an organisation’s DNS, there are a few steps that an IT team can take to help mitigate and respond to DDoS attacks. 

The first is to learn to recognise when a DDoS attack is actually taking place. By using statistic support built into BIND, the most widely-used DNS software, an organisation’s IT network administrators can help analyse data on DNS queries for indicators of an attack. Whilst it may not always be clear what an attack looks like, anomalies will be more easily identifiable.

The next step is to scrutinise all aspects of a firm’s network infrastructure that face the Internet, such as its switches, routers and firewalls, for any potential points of failure that might leave the network vulnerable to attack.

Then, by geographically distributing all of its external servers, an organisation is able to improve its chances of avoiding single points of failure, and thus vulnerability. And finally, it’s worth considering overproviding existing IT infrastructure using virtualised servers in the cloud, a process that is both inexpensive and easy to trial prior to an incident, and which can mitigate the huge number of responses resulting from a DDoS attack.

Financial institutions are facing a daily onslaught from hackers looking to find weak spots in their defences. DNS is a critical piece of a firm’s IT network that is far too valuable to be left unprotected. By ensuring the right security solution is in place to defend their DNS against outside threats, businesses in the financial services industry will take an important step in protecting their sensitive data, and thus their clients, and – ultimately – their own reputation.

By Dr Malcom Murphy, Systems Engineering Manager, Infoblox.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development