Recent years have brought a plague of attacks targeting your ability to do business online. Whether in the form of distributed denial of service attack (DDoS), spam, phishing, or Facebook and Twitter scams. Likely the most disturbing issue for e-commerce organizations has been the growing prevalence of DDoS attacks waged to interrupt their business, or worse, to extort money. 2010 has inaugurated a new type of attack, wearing an old disguise—hijacking your managed DNS by compromising your e-mail account.

We have known that e-mail addresses have been vulnerable for years. Those of us in the technical industry especially cringe every time your company rolls out a new Web application using an “I forgot my password” feature. But you accept it anyway because you know your users won’t remember their password.

It hurts when that exploit happens to you.

With cloud based e-mail services, access to your e-mail address can be more easily intercepted than behind a corporate firewall. The ability to then also send a “forgot password” request to that same compromised email address adds pain to misery when you have been attacked.

This is exactly what happened to Twitter and Baidu when their DNS was compromised and switched to point to a group claiming themselves as the “Iranian Cyber Army.”

DNS services are frequently outsourced because most organizations don’t have the expertise to manage their own DNS, nor the capital to invest in the infrastructure required to provide global resiliency and fast resolution at the same time as withstand 40 GB+ size DDoS attacks daily. The key is for you to know who you can trust to protect yourself from being hijacked and guarantee that your DNS stays up 100% of the time.

For our own customers’ piece of mind, Afilias has built a number of protections into our managed DNS service. We think these are the minimum criteria that managed DNS organizations should follow when a Web portal is used to manage your DNS settings.

Restrict access

You should restrict access to your DNS Web portal by IP address. While this might limit usability if a staff member is traveling, it ensures that if your e-mail account is compromised that the attacker cannot log-in from an IP address that is not already specified on your account.

Vary user permissions

You should vary the types of permissions allowed to users in the system. That means that not every account should have read and write access. This lowers the probability that, if attackers are able to compromise your e-mail and get your password for your DNS account, that they will have the ability to actually change something.

Afilias allows you to set user groups, to easily set user restrictions to multiple users at a time.

Also ensuring you have more than one account with access to make changes ensures that someone can correct a problem or suspend a compromised account quickly.

Out of band security alerts

E-mail alerts are great, but not if the e-mail account they are sent to is compromised. We offer a unique feature where you can also require an SMS token for password resets. This sends a unique code to your mobile phone that must be used in conjunction with the password reset link you get in your e-mail.

In this case you have the convenience of resetting your password if you forget it, but a attacker would also have to compromise your mobile phone to be able to get into your managed DNS account.

Lock-outs to stop script attacks

Some attackers just want to brute force script an attack to guess your password. A best practice standard is to deploy lock-outs for failed login and password reset attempts. Afilias sets its threshold fairly low at just 6 attempts.

If you lock yourself out, you always have phone support to reset your password—better safe than sorry!

Written by John L. Kane, Vice President, Corporate Services at Afilias.