How to protect DNS from DDoS attacks is not affected

DDoS attacks have emerged in an endless stream. Once they are attacked by DDoS, it means that the entire enterprise's network services are suspended, especially the DNS service host. The problem of protecting DNS under DDoS attacks is very serious.

If you have a DNS service running on your server host, be careful about the very realistic attack behavior of DdoS. And if your DNS service is hit by a DdoS attack, then the lowest loss is also the loss of email and the suspension of web services. And if your DNS service host is located inside the enterprise and is connected to the network connection of services such as web browsing of enterprise users, then once the DdoS attack is suffered, it means that the network service of the entire enterprise is suspended. Even if your DNS service is only for testing or other limited purposes, once it is attacked, it will spread to a wide range.

Other situations that threaten the DNS include opening the FTP service to the external network. This service should not be open to the public inside the enterprise. Because administrators understand that once you do this, hackers and various bots will get FTP accounts and passwords through various means, including brute force. Even if you use a very complicated password, when multiple brute force programs run, the resulting failed FTP access traffic is enough to consume network resources.

In short, there is always a certain degree of security risk for companies to build and manage their own DNS. In other words, the currently recognized better solution is DNS service hosting. For companies that have not yet prepared themselves for managing their DNS services, the only advice is to find an ISP or other professional custodian that will give it to them.

I wrote this article because I experienced a real DdoS attack. The victim at the time was a small office in North America with a DSL router and a static IP address. The office server has opened DNS to the outside world. There are two early signs of being attacked. One is that the number of emails received is lower than usual, and the other is that web browsing speed is slowing down. After a few days of bad symptoms, the office never received emails from outside, and it was not possible to browse the Internet. Using the simplest ping command to the Internet's large website address, the result is either a failure or a response time of more than 1000ms, which is basically impossible to connect.

It is obvious that a network process is flooding the DSL connection at this time. Every computer in the office was shut down and restarted, and did not solve the problem. Restarting the DSL did not solve the problem. However, after restarting the DNS server, there will be a short period of time to return to the normal Internet connection state. After a few minutes, this normal connection speed becomes abnormal again, and it is not possible to connect to any website very quickly. Considering that the e-mail system or the web-based process may be faulty, the Exchange service and the web service in the server are shut down, but it has no effect. In the next item-by-item attempt, we found that shutting down the DNS service would have a noticeable effect, so we ended up locking the issue on the DNS service.

However, there are no warning events in the DNS service logs, and the server itself has the latest patches, including DNS service patches and DoS overflow patches. Another location to find clues is the firewall's log file. Although the office firewall does not have historical log files, we can view real-time logs of selected network protocols. It can be observed from the real-time firewall log that there are two IP addresses on the Internet that are constantly sending DNS request data to the office server. The servers represented by these two IP addresses are located in Europe and belong to two different countries, but they are all sending a large amount of data to this same DNS service address. If there are two or more remote addresses in a DoS attack, they can be classified as DDoS attacks, that is, distributed DoS attacks. .

Once you know the attacker's IP address, you can simply set an IP rule in the firewall to block any data from that IP address from passing through the firewall. After we blocked an IP address, the result of pinging the mainstream website has reached 300ms. When we blocked the second IP address, the result of pinging the mainstream website has returned to normal level, about 30ms, and all network functions have returned to normal. This office is very fortunate, the DDoS attack suffered has only two attack sources, two fixed IP addresses. If there are dozens or even hundreds of attack sources (or the attack source IP address is changing), the office is much more difficult and has a greater impact on day-to-day business.

As I mentioned earlier, the best way to prevent a DNS server from encountering a DDoS attack is to pass the DNS service to a DNS service provider, such as your ISP or a well-known DNS registrar, or a trusted escrow. Although this approach does not fundamentally eliminate the threat of hackers launching DoS attacks on vendors, it can at least prevent the various network functions of your enterprise from being affected in the event of a DoS attack.

If for some reason you have to establish a DNS service within the enterprise, then you must develop a response strategy for DNSDoS attacks. For example, setting up multiple DNS servers in different locations, using enhanced or dedicated DNS servers or applications and using separate Internet connection lines. In May 2011, Verisign released a DNS availability status report confirming that even the top e-commerce sites have potential risks to DNS availability, especially those that build and manage DNS services themselves.