Secure DNS Prevents DDoS Attacks

 

You’ve probably been hearing plenty about the threat of DDoS attacks—and how more and more attackers are targeting DNS. Watch this short video and hear Neustar’s Rodney Joffe explain how hardened DNS can keep your business safe.

In a few quick minutes you’ll learn:

  • Why DNS has become a favorite attack vector
  • How Neustar has hardened its DNS to create carrier-class protection
  • Why advanced, secure DNS in tandem with cloud-based DDoS protection gives your business a bigger shield against large multi-vector attacks
 

Video Transcript:

The key thing to understand is that actually, the foundation of these attacks and the thing that makes the internet that vulnerable actually lies within the DNS, the domain name system, which is the system that converts domain names to IP addresses which is what the computers understand.

The DNS infrastructure was never designed to be very secure. It was designed to be robust from a reliability point of view and it's built on a protocol that says if my packets don’t get through I’ll just retransmit them and they're not critical.

Unfortunately that has a weakness. It was designed for networks that weren't very reliable and so it made it, you know, to a certain extent reliable.

Now we end up in a world where that weakness is actually exploited many times by the criminals, by attackers. So, for example, in UltraDNS and in Neustar what we've done is we've developed some mechanisms that make it as robust as possible, effectively turning it into a carrier class mechanism for protecting infrastructure.

That gives us a very good basis with which to actually defend our customers, or to help defend our customers because we're able to do things within DNS that most companies don't. We have infrastructure that's global, we have systems that sit in probably 20 or 25 countries around the world that are protected by mechanisms that we've developed over the last 10 or 12 years. We've been doing this for many, many years, and because the companies that we have as customers are so critical for many things, not just for the internet, but in banking, and in finance, and in government, and in shipping and transportation and in the power industry we've been able to get assistance from a lot of third parties to harden what we have from a technology point of view, from the point of view of resources, and also from the point of view of being able to respond when there's an event.

So this is one of the things that makes it, you know, a little better for our company and for our customers able to defend against the attacks, but nothing is perfect.

So the question is how does that play into the big picture.

The next question would be how does this robust and secure DNS infrastructure that we have make a difference when it comes to DDOSes. Well first of all what we're able to do is we're able to take away the vector of taking down the DNS.

So where normally DNS is a prime target because it's such a weak protocol, in our particular case our DNS infrastructure is robust enough, it's distributed enough, it has all those bits and pieces that we've built over the years.

It makes it more difficult for the attacker. So the attacker then starts to go after the web content, for example. When they go after the web content we have our SiteProtect product.

This is a product that allows us to actually filter the attack traffic. So as the attackers are sending large amounts of traffic towards our customers' websites we reroute that through our infrastructure which is designed to filter out the bad traffic and really to only let, to identify and only let the good traffic through.

The things that went on with the financial institutions were exactly the same kinds of attacks. First of all against DNS, and then against the web infrastructure, and then a mixture of it. And then it also becomes more sophisticated when they attack the applications.

Not a lot of bandwidth but actually attacking things like the payment gateways and the payment processing systems and so on.

So what we're also able to do is run that traffic through out infrastructure and filter out the bad traffic not just based on volume but based on the applications that it's attacking whether it's mail systems, whether it's the payment processors and gateways.

And we're able to use that DNS infrastructure to also reroute the traffic. So we're able to use that distributed platform allows us to, if you like, break the attack down into smaller pieces and then to be able to handle it in different parts of the world.