DDoS attacks on your DNS provider: Developing a response strategy

Many enterprises have pondered — and experienced — what can happen when a targeted distributed denial-of-service…


* remove unnecessary class from ul
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

* Replace “errorMessageInput” class with “sign-up-error-msg” class
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {

* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
return validateReturn;

* DoC pop-up window js – included in moScripts.js which is not included in responsive page
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {, “Consent”, “width=500,height=600,scrollbars=1”);

 attack is run against their systems. Over the years, there have been many cases of seemingly resilient organizations that have had their core online presence literally wiped off the face of the internet via distributed denial-of-service attacks. Specific systems being taken offline is one thing, however, have you thought about what would happen if your enterprise’s entire domain name system functionality were to go away? With DNS essentially being the circulatory system of the internet (and your business), it’s hard to imagine many organizations could live without it for very long. In a recent DDoS attack, managed DNS provider NS1 and its customers suffered such an outage. Apparently, what started with volume intensive attacks quickly became direct DNS lookup attacks that ended up creating sustained DNS problems. If it can happen to a DNS provider such as NS1, it can happen to anyone. The approach to handling DDoS attacks has, in large part, evolved into increasing capacity to effectively spread the load around multiple systems, in order to better absorb the impact. The NS1 blog post, one of the best I’ve ever seen released from a vendor coming under attack, outlines various DDoS mitigation strategies, with  the most reasonable and effective ones for the typical enterprise being:

  • Having DNS service through two independent networks
  • Working with anti-distributed denial-of-service vendors
  • Ensuring maximum visibility through system monitoring and alerting, ideally through a third-party managed security service provider

However, I believe the most important part of this discussion falls into the category of “experience is something that you don’t get until just after you need it.” A smarter approach to denial-of-service-related incident response is to think, in advance, about the worst that can happen and then take the steps necessary to make sure that it doesn’t happen. It’s called “minimax” regret analysis, where you minimize your maximum regret.

Oddly enough, there still are organizations, including large enterprises, which have yet to find or resolve relatively basic DDoS related weaknesses. Some of these weaknesses are as obvious as ones that come out of vulnerability scanning and penetration testing, such as DNS traffic amplification and DNS recursive queries being enabled. These vulnerabilities exist on routers, firewalls and servers that are exposed to the internet and, thus, denial-of-service. Be it for your DNS provider or for internal-based DNS, here’s what you can do starting today to minimize the impact of a DNS-focused DDoS attack:

  • Look for the low-hanging fruit, i.e., the DNS vulnerabilities mentioned above.
  • From a network architecture point of view, look at how the DNS service operates within your environment and determine specific choke points and single points of failure, including cloud services and business partner connections.
  • Have a discussion with your internet, hosting, cloud and DNS service providers and ask them what mitigation strategies they have in place to minimize such risks.
  • Based on the information you gather, determine what else needs to be done such, as adding an additional DNS provider, signing up for an anti-DoS vendor’s service, and so on.
  • Perhaps most importantly, document your standards around these DNS mitigation strategies and technologies, as well as your procedures for handling such events, directly in your incident response plan or business continuity plan.
  • Perform simulated tabletop (or real) exercises to determine where you’re still weak, go about resolving what you uncover, and then make denial-of-service and incident response testing part of your ongoing information security program.

One of the best gifts you can ever receive to help with minimizing your security risks is someone else’s incident. Review what happened to NS1 and other DNS providers moving forward. Compare what happened to them in their scenario and how it might apply to your situation. Finally, ensure you have the proper security controls in place to address such events. Remember that your overall goal is not to fully eliminate the risk, but rather to minimize its impact to your organization.

Next Steps

Learn how your enterprise can effectively mitigate DDos attacks

Find out how DDoS attacks have evolved

Read about preventing DDoS attacks that bypass DNS rerouting

Dig Deeper on Disaster Recovery and Business Continuity Planning

Source link