Dealing with DNS in the Era of DDoS

|||Dealing with DNS in the Era of DDoS

Dealing with DNS in the Era of DDoS – dinCloud

With DDoS attacks making news coverage, we wanted to go over what DNS is and how you can better protect your infrastructure.

How domains & DNS Work

A customer/IT admin/etc. buys a top level domain (“TLD“) such as .com, .net, .info, .tv etc. from a domain registrar (Godaddy.com, ChaseNetworks.com <- shameless plug) then has to point it to a DNS server (registars, theirs, 3rd party provider’s). Domain registrars often let you “park” for free on their dns server because they want to splash their own web page ads onto your domain until you do something useful with it. Or you can upgrade to regular DNS service with them but depending on the features they have or simply to be more independent, domain purchasers often utilize 3rd party providers. A domain purchaser must specify a minimum of 2 DNS servers and the maximum depends on the TLD; for .com the maximum is usually 13 DNS servers. This adds a bit of redundancy to the very important function that DNS provides. DNS is queried in a round-robin style; queries don’t automatically go to DNS server #1, #2 etc. So if you have a live DNS server whose name table has been wiped, it will return a blank reply and no other servers will be asked that may be in your domain. This creates a DNS “black hole”. Many DNS hacks either try to wipe your entries or modify them. Original DoS attacks would just flood the server, overload it, and no one was able to talk to any service in your domain as they couldn’t find it (www, email, etc.). As such, industry best practice if you ran your own servers (only done today if you are cheap, inexperienced or an expert provider of DNS) was to host them on multiple subnets, at multiple datacenters. Because of rich features like global load balancing, IPv6 support and much more, keeping up with the administration of DNS was a major pain and pretty much everyone now uses a 3rd party provider. 3rd party providers such as dinCloud use an anycast networking design https://en.wikipedia.org/wiki/Anycast to provide faster worldwide response time as well as a mitigation technique against DDoS. But it’s not enough, tools like ThreatStop.com IPR and a DDoS shield must also be utilized. Otherwise, like in the Mirau bot network attack on Dyn, you can wind up with regional outages because even a partitioned DDoS attack can be so strong that any given segment of it is still lethal. dinDNS is a great choice to protect your domains because we bring all 3 pieces together (anycast DNS from 20+ datacenters worldwide, ThreatStop, and DDoS shield) to bear: https://www.dincloud.com/security/DNS

The New Normal

It seems almost every other month we hear about 500M accounts at some business or Internet site that reports it was hacked. We shrug; it is the “new normal”. But with the rise of the Internet of Things in a world where every phone and TV is “smart”, where everything from refrigerators to thermostats to garage door openers and home security systems are on the Internet, what does the future hold? While we may shrug today, tomorrow when we come home to a ransacked house, rotten food in the refrigerator, and realize that the firmware on 1 billion phones and TV’s has been obliterated or destroyed other components and a single day’s losses worldwide may be > $1 trillion dollars, what then? We live in an age where most security products don’t protect the BIOS/firmware, the kernel or even the operating system properly or at all.

For years, Gartner correctly stated that it was COST that drove customers into the Cloud, but it was SECURITY that kept them out. Today, less than 15% of the world’s workloads are in the Cloud. The founder of Oracle Larry Ellison predicted at this year’s Oracle Open World conference in San Francisco that hybrid deployments utilizing a mix of Cloud and on-premise infrastructure will be around for the next 10 years. It’s my prediction that security will no longer be “a” factor but it will be “the” factor in the rise and/or fall of every single Cloud and Internet of Things (IoT) provider that is now or yet to establish themselves upon on the exponentially expanding digital landscape — forever. The rising costs of defense also mean that more CIO’s and manufacturers of IoT devices will look to Cloud sooner than later.

Eenter dinCloud

dinCloud by default uses ThreatStop IPR to filter ALL inbound/outbound Internet traffic across ALL our datacenters for ALL our customers by DEFAULT. This STOPS literally ALL botnet malware from brute force hacking IP’s on our network or utilizing any devices found therein as part of its attack. You can spend $5 or $5M a month with us and you are protected by DEFAULT. We also have dinImmunity, a tool we use that has over 40+ patents, vetted by the NSA, and protects systems from the BARE METAL UP including the BIOS, kernel and operating system. WE ARE THE ONLY CLOUD IN THE WORLD AUTHORIZED FOR THIS TOOL UNDER AN EXCLUSIVE CONTRACT. dinCloud utilizes AES256 bit encryption for data at rest, in-flight, and across connectivity links. Other defense layers for customers can include proxy firewalls with IPS, web filtering, network level anti-virus etc. We have one of (perhaps THE?) fastest cloud infrastructure with up to 64 vCPU’s, 1.5terabits of memory, and 1 million disk IOPS per system across a MINIMUM 10g/40g network with Internet connectivity out Tier 1 providers by DEFAULT out of EVERY datacenter such as Level3 and Telia Sonera WORLDWIDE. Customers can add a DDoS shield which can absorb over 1 terabit per second of traffic and you won’t even know you’re living in the eye of a DDoS hurricane. Life continues as normal and protection automatically raises the shield in < 1 minute after an attack commences. We offer dinDNS as the alternative to Dyn.com. dinDNS is any anycast enabled Domain Name Service hosted out of 20+ datacenters worldwide and by its nature helps mitigate a DDOS attack. Anycast advertises the same IP’s out of numerous datacenters to break up the destination target IP’s of the DDoS attack. When not under attack, this method is used as a geographic quality of service (QoS) to deliver speedy DNS replies to the Internet from the closest available resource to the requestor. https://en.wikipedia.org/wiki/Anycast

Talk to us today about moving key resources or at least having failover options to dinCloud. We have certified (CCIE) network engineers, Microsoft, Linux, and other experts to help with migration, 15 minute CDP backup, replication, failover & more.

2018-09-19T14:54:34+00:00