In light of the recent Mirai botnet DDoS attacks against DNS servers, Flashpoint would like to raise awareness on certain suggested mitigation strategies. These recommendations are relevant for organizations with Internet-facing authoritative DNS servers.
For organizations running their own DNS servers, is it crucial for network team members to both be aware of the current DDoS landscape and be prepared to mitigate should attacks move to your sector or enterprise. DNS is the single largest focal point for internet operations, and if DNS goes offline, it will significantly impact operations for any organization. With the upcoming U.S. presidential election as well as peak shopping and travel seasons (Thanksgiving, Christmas, and New Year’s), identifying strategies to defend business operations is critical.
Significant upcoming dates include:
- Nov 8 – Election Day
- November 23 – Peak travel
- November 24 – Thanksgiving
- November 25 – Black Friday
- November 26-27 – Peak travel
- November 28 – Cyber Monday
- December 19-23 – Peak shopping
- December 23-24 – Peak travel
- December 26-27 – Peak travel
- December 30-31 – Peak travel
Robust defense strategies grow increasingly necessary
In a traditional DNS server deployment, an organization will typically deploy two to four DNS servers on its own network. While servers may be hosted on different subnets (this is a best practice), they will most often be reachable via a single Autonomous System Number (ASN) and/or provider pipe. In recent years as DDoS attacks have increased in frequency, complexity and volume, organizations have added DDoS protections in front of their DNS servers. This strategy typically entails either a network-side set of protections from the organization’s carriers or through the services of a traffic intermediary.
Unfortunately, recent events have shown a massive increase in DDoS traffic volume of over one terabit per second. Additional defensive strategies are recommended and should be evaluated based on cost and need. Decision makers may want to consider that any and all layered defensive strategies will be unique to each organization and will likely vary according to in-house skills, tolerance for third-party costs and risks, and business requirements.
Anycast DNS providers recommended for mitigation
One such mitigation strategy is to use an Anycast DNS provider. This would enable an organization to maintain control of its own DNS servers while using the same management methods and processes. The only difference is that Anycast DNS providers would block all inbound traffic to the organization’s DNS servers and only allow incoming connections from the provider’s systems. The provider will perform a periodic zone transfer for the organization’s domain records and then publish the records from the provider’s DNS servers, which are “Anycasted” and hosted in multiple locations around the world.
Benefits to using Anycast DNS providers include:
- They ensure that any DDoS traffic is only sent to the provider. In the event of a high-bandwidth attack, this ensures there is no impact on business operations.
- There is a beneficial side-effect of speeding up DNS responses to clients around the world. This enables an organization’s services to respond faster.
- Providers manage DDoS response entirely in house, and they offer Service Level Agreements (SLAs).
- This solution offers mitigation for not only volumetric attacks, but also request-per-second floods and reflected-and-spoofed attacks.
- Most importantly, a one terabit-per-second attack will be spread across all of the Anycasted nodes. This means that such attacks may only be a fraction against any single node, making each node more resilient from a bandwidth perspective. If a node becomes completely overwhelmed, the attack will only affect topologically-nearby clients (such as those in Western Europe) but not clients further away (such as those in the eastern USA).
- The local management of DNS does not change, and the benefits and resiliency are very visible post-deployment. Flashpoint recommends that all organizations engage in market research to evaluate evaluate both the viability of this option and potential vendors.
In the event of a DDoS attack, the following steps will help support an investigation:
- If possible, collect full-packet captures of the attack traffic. While small samples are can also be helpful, full packet captures will provide greater insights.
- If the attack traffic cannot be identified, collect a list of the “Top Talkers” hitting the protocol and IP(s) under attack.
- Use whitelisting and investigative analysis to ensure that legitimate traffic is not counted or recorded in the attack logs. This helps focus the investigation and is also crucial for regulatory and privacy reasons.
- Whenever possible, use packet captures to try and carve out selected traffic to highlight and identify attackers.
- Collect detailed metrics of normal traffic baselines as well as details relating to the attack’s traffic volumes and requests-per-second.
- Note the victim IP(s) so that third parties can investigate their logs for any correlating attack commands or traffic.
Collecting these details during and after a DDoS attack will assist in identifying the botnet to support the investigation. Flashpoint will continue to monitor the DDoS attack ecosystem and will report any new updates and/or recommended mitigation strategies.