|
Yesterday CommunityDNS noticed a sudden, heavy spike in traffic through its Anycast node in Hong Kong. While comfortably processing queries at 863,000 queries per second for close to 2 hours the occurrence was undeniable. While we can’t say the increase in traffic was specifically due to DDoS, its sudden increase is suspicious and reminds us that DDoS is still a popular tool used by the malicious community.
DoS and DDoS attacks are happening throughout each day. Just as UltraDNS was twice regionally impacted in 2009 by DDoS traffic, Register.com with close to a 3 day outage in 2009, and DNS Made Easy, the recent target creating close to a 1.5 hour outage for its users earlier this month, we (enterprise, ISPs, hosting firms, registrars and DNS providers) are not all immune to such malicious antics. While all queries appeared legitimate in yesterday’s spike, there is no reason to believe CommunityDNS was the intended target for the sudden increase in traffic. However, it still raises the issue of the impact such malicious activity can have on the general user base as well as online economy.
Last year and earlier this year CommunityDNS worked on a study developed for the EU Commission’s office of Directorate-General for Justice, Freedom and Security, regarding the resilience of the DNS for the EU and its member states. The study pointed out the affects such malicious activity has on the confidence of legitimate Internet users. Such affects erode confidence, thus the EU’s online economy not able to reach its full potential. The same concept would apply to any online economy. The study also noted how “suspicious” traffic appeared more elevated in some European cities over others. A recent Forrester survey indicated organizations experienced more than 350,000 DDoS attacks in 2009. Another study, from Arbor Networks, yielded a statistic of approximately 3% of the Internet’s traffic is tied to DDoS, or roughly 1,300 attacks each day.
So as the Internet marches on with the needed ramp up of DNSSEC, the rollout of IDNs and eventually the addition of new gTLDs, the malicious community continues their global activity. Such activity should make us all question, “Are we doing the best we can to ensure maximum resilience for Internet users and online economies?” The best way to ensure maximum resilience for users, businesses and the general online economy is through platform diversity. Where one has an open source-based DNS platform, a non-open source-based platform should be used. A mix of hardware platforms, upon which the open source and non-open source DNS software operates, is also necessary as the hacker community has more tricks up their sleeve than DDoS attacks. Adding hardware and software diversity into an infrastructure with strong security, ample capacity and scalability is the strongest method for ensuring maximum resilience to the DNS.
Sponsored byVerisign
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byVerisign
You mention and quote from
This is not the first time I hear people refer to the study, however I seem to be unable locate the study itself. Can you tell me where to get this?
Hi Jaap, With regards to protocol we can point you to the study once the Commission has made the study available publicly.
Although I certainly wouldn’t argue against platform diversity (it is an important part of any large DBS infrastructure) I don’t really see where the relatiionship is between that and DDOS attacks, surely a network heavy DDOS is going to affect your infrastructure no matter how diverse it is?
Hi Brett,
Having a background in designing and deploying large-scale networks it is easy for me to view the importance of each component part. It sounds that with your appreciation for platform diversity, so do you.
When looking at a DNS infrastructure, network and hardware are certainly essential elements. Based on that alone it is understandable where a well organized and concentrated DDoS attack can impact network infrastructure and potentially hardware platforms. However, when taking this a step further, the efficiency of code which makes up a respective DNS platform also has a bearing on how much of an impact a DDoS attack may be. The ultimate goal of DNS is to quickly process the queries of users of the Internet, thus helping them reach the sites they intend to reach. But as mentioned in my post DDoS of some form occurs daily; some stronger, or more concentrated than others. During such concentrated attacks, whether aimed directly at a DNS provider or not, our goal is to continue processing queries while not succumbing to the shear volume of traffic associated from such attacks. The faster and more efficient the code is in handling queries, the greater capacity the overall network has in providing resilience to the DNS and not succumbing to such attacks. In the example mentioned in the post, while the network infrastructure was able to keep up with the traffic spike the code of the DNS platform was able to handle the traffic spike faster than what the infrastructure could deliver; thus no bottle necks while still processing “legitimate” queries while also not succumbing to DDoS associated traffic.
The malicious community is well organized, well funded and no matter how much we wish they will not be going away anytime soon! So when I look at platform diversity my recommendation is to look at how much diversity you can bring into an environment. Such positives include:
+ DNS that runs on multiple hardware platforms is one positive.
+ Having a DNS infrastructure that utilizes multiple DNS software platforms is another positive.
+ Having a DNS infrastructure that utilizes DNS software developed in both an open source as well as non-open source is another positive.
Even with all of that said, concentrated DDoS attacks can still overwhelm an infrastructure, as we have seen, hence the reason for pointing out the fourth positive of platform diversity towards DNS resilience; that being platform “capacity”.
+ Incorporating DNS software that has demonstrated operational capacity for handling extremely large volumes of traffic.
With that said having a mixture of DNS platforms running on various hardware platforms definitely helps towards mitigating downtime; whether such downtime is due to DDoS attacks or exploiting bugs in DNS code. While diversifying a DNS network with platforms from various providers (especially open source and non-open source-based) mitigate attacks based upon security flaws or bug exploitation, also factoring in code efficiency in the DNS platform mix not only strengthens platform diversity, it provides additional capacity to further mitigate the effects of any downtime which may be caused due to DDoS attacks.