top domains still vulnerable to ddos and iot based DNS attacks

It has now been a week since many top domains were downed on the East Coast due to a DNS provider outage. In the days following, we have been asked by many clients if there are ways to avoid downtime even if your DNS provider goes down. In short, this is something we have been stressing for years, encouraging all of our clients dependent on the Internet to use a Secondary DNS provider.

Over the past few days, we have seen many major tech publications sharing similar advice, urging clients to use as many points of redundancy as possible.

“In many ways, the internet attack is a wakeup call for organizations to configure DNS for optimal resiliency. More specifically, that means using two (or more) DNS providers and listing multiple nameservers for added resiliency. It’s also yet another wakeup call for IoT security as the risk of default passwords and unsecured devices is no longer a theoretical one.” Source: eWeek
We decided to conduct our own study and take a look at the DNS configurations of the top 100 websites according to Alexa. First, we should mention that over a fifth of the domains we looked at are large domains like Google with multiple versions of their website with domains specific to different countries. Considering this, the statistics may not seem as weighty because they are  “watered down” by dozens of essentially duplicate domains that have been altered for different languages and localities.

The Facts

According to our research, 36% of the top domains outsource their DNS to a management provider. We weren’t surprised by this number, as many of these larger domains require complex configurations that are sometimes better managed in-house. While this may be the preferred solution for tech giants like Google and Facebook, this method lacks the redundancy and scalability of a cloud provider. During our study, we started to notice a shift toward adoption of a hybrid architecture, which uses a domain’s in-house network combined with the scalability of the cloud. This kind of network is preferable, as it allows a cloud-based provider to take over the traffic load if the in-house network fails or is unable to handle all of the traffic.

Of the 36% of domains that outsourced their DNS, a whopping 58% of these domains were only outsourcing their DNS to one provider. Even after the massive outage last week, we thought this number would surely be lessened. However, we noticed that only a select few of these domains have added a secondary provider during the days following. New reports are starting to call out the downed brands, claiming they could have prevented the outage by using secondary DNS,

“Twitter, Amazon Web Services, PayPal and others could’ve been better prepared too, two security experts told me: anyone running a site should consider a secondary, back-up DNS provider.” Source: Forbes
During our investigations, our researchers noted that some of the domains that were affected by the outage had switched entirely to another provider. While this may be a viable temporary solution, these domains are still vulnerable.

The Solution

Based on these findings, we are encouraging all of the domains that are still using only one provider to implement a Secondary DNS provider as soon as possible. These domains are still vulnerable to the same kind of outage that took down Twitter, Netflix, Etsy, Spotify, and many others last week. And just a few days after the East Coast outage, Starhub was attacked and downed by a similar kind of DDoS attack using compromised Internet-connected “things”.

It has been proven time and time again that these “single-homed” solutions can fail. This made us wonder, how many more big brands have to suffer downtime before Secondary DNS becomes a common practice?

Also published on Medium.