Originally published in American City Business Journals
By Steve Goodbarn
Imagine an important product launch date has arrived, and suddenly not one of the billions of people on the internet can reach your website, your email or your internet-based services, whether gaming, video, CRM, marketing automation or any of the hundreds of online offerings.
In a real sense, your business just vanished.
What happened? Your Domain Name System (DNS) is offline, unable to translate the human-readable company name into the IP address that all computers need to complete a network connection. Customers trying to reach your website will be greeted with a “server not found” error message or a page full of ads — neither of which they are looking for.
Long taken for granted as a utility, DNS is the critical, pervasive system that touches all internet-connected devices and services yet represents the Achilles heel in internet security today. A secure, reliable and authenticated DNS is a crucial step to being secure, reliable or private online.
Many recent outages and slowdowns in service demonstrate the need to revisit the security of the DNS. From the CEO on down, those who don’t properly secure their DNS are putting their business — and potentially their job — on the line.
Capacity and diversity are critical
The first and most basic line of defense when it comes to the DNS is ensuring there’s sufficient capacity for traffic spikes, such as when your “Buy One, Get One Free!” promotion takes off widely.
Related to capacity is redundancy, or ensuring the DNS is resilient when there’s a fire, earthquake, service provider or power outage. This redundancy should also include geographic redundancy. It makes no sense to put all your DNS resources in the same room, in the same building — or with the same provider.
Closely related to redundancy is something called “genetic diversity.” Put another way, it’s important to have a mix of DNS software. Otherwise, no matter how many servers you use or where you locate them, they’ll all be susceptible to the same software vulnerabilities or software errors.
More than 80 percent of the internet is dependent upon a single type of DNS software, and like the Irish potato famine, a single virus or malware could potentially take much of the entire world offline.
To get a sense of what that could look like, remember the WannaCry attack in May that took out organizations around the globe in a matter of hours by exploiting an un-patched Microsoft vulnerability? Taking out a significant portion of the DNS would look far worse than that.
Best practices dictate diversity in DNS software so that a single point of failure cannot take everything down. Although the sheer vastness of the internet makes the likelihood of a global take-down remote, your business does not have that capacity. My advice: Consider using more than one type of DNS — and ensure your critical service providers do the same.
Remaining available during denial of service attacks
Assuming you’ve addressed capacity, redundancy and genetic diversity, there’s still Distributed Denial of Service, or DDoS, attacks.
DDoS attacks are often in the news, especially recently with massive numbers of Internet of Things (IoT) devices driving them, and so are probably the best understood cause of DNS outages by the general public. (Being understood doesn’t mean you, as CEO or as a senior manager, will be forgiven if your company is kicked offline.)
DDoS attacks happen for a variety of reasons — from punishment and turf wars to extortion and distraction while attackers probe for weaknesses and pilfer data.
They have been around for many years, growing in sophistication, frequency and, most recently, in volume. DDoS attacks moved into the terabit per second (tbps) strata in 2016, first with an attack on security researcher Brian Krebs, and then on managed DNS provider Dyn. The Dyn attack took down popular websites such as Twitter and PayPal. In the aftermath of the attack, the service provider lost about 8 percent of its web domains, a sizable chunk of its customer base .
Terabit DDoS attacks are not that common, but attacks of less than a Gigabit are very common. An excellent and cost-effective way to keep your DNS available is to have DNS servers with built-in, scalable and multi-layered DDoS protection.
Other attacks on the DNS
Finally, other attacks on the DNS involve redirection, cache poisoning and pharming — all of which can be prevented by implementing DNS Security Extensions. These extensions validates a site’s identity through the use of a specialized server that generates encrypted, signed keys. By matching this digital signature to information it has on file, the receiving DNS server can establish a chain of trust.
This is scary stuff, but a real possibility. The consequences are huge for your company and career if you are blamed for the fallout .
Steve Goodbarn is co-founder and chairman of Secure64.