As the holiday season approaches, DNS Made Easy is encouraging online retailers to use more than one DNS provider to ensure total availability during peak shopping days. Last month, a major DNS provider was attacked and many of its client’s domains were unavailable for hours on the US East Coast. The event was a wake-up […]
DNS Made Easy clients, You may have noticed that a significant number of major websites were unavailable for a few hours this morning, ie: Twitter, Etsy, Spotify, and Netflix to name a few. After initial investigations, we found that most of these sites shared the same managed DNS provider. Around 7am this morning, Dyn announced […]
We’ve previously discussed the recent massive DDoS attacks that were directed at the Spamhaus spam monitoring service, and which used open DNS resolvers to amplify their available bandwidth. We issued a call for ISPs, hosting companies, and others in the industry to do all they can to reduce the number of open recursive DNS resolvers on the Internet, but there are additional steps that can be taken to severely restrict the potential means of attack available.
DNS amplification DDoS attacks work by prompting open DNS servers to direct large amounts of data at a domain that isn’t the same as the originating domain of the request. To do this, packets are crafted so that the originating IP is spoofed. Responses are sent to the spoofed target address, and so, with a script and a relatively small amount of bandwidth, attackers can direct overpowering floods of data at their target.
Cutting attackers off by removing the open DNS servers is the optimal solution, but preventing packets with spoofed IPs ever from entering target networks will also help mitigate attacks.