For owners of websites in vulnerable ccTLDs, preventing DNS attacks at the TLD level can be very difficult or impossible. Website owners should urge their ccTLD registrars to visit www.microsoft.com/cctldregsec and take advantage of the Microsoft ccTLD Registry Security Assessment Service to find and mitigate any vulnerabilities that may leave domains open to attack.
Because attackers also target individual domains for DNS hijacking directly, website owners should act to ensure that their designated authoritative name servers cannot be changed without their approval. Many domain name registrars offer domain locking services that can help prevent DNS records from being changed without the domain ownerâ€™s approval. Website owners should take advantage of any locking services offered by their registrars, and should urge registrars to offer such services if they do not. Site owners should also take general precautions to secure their domain names against unauthorized changes, such as carefully protecting the usernames and passwords they use to access their domain registry accounts, and only using SSL connections to review their accounts or make changes.
Because DDoS attacks are so difficult to mitigate, itâ€™s important that DNS administrators everywhere be willing to cooperate with each other to prevent attacks from happening in the first place. The United States Computer Emergency Readiness Team (US-CERT) has provided some suggestions to help administrators stop attackers from taking advantage of their DNS servers to launch attacks. 5
- Most DNS amplification attacks take advantage of open DNS name servers, which resolve DNS queries submitted to them by any computer on the Internet. System administrators should configure their DNS servers to ignore queries they receive from hosts outside their domain. A number of tools are available for helping administrators detect misconfigured DNS servers within their networks, including:
- The Open Resolver Project (openresolverproject.org) maintains a list of open DNS resolvers and provides an interface for searching an IP range for open resolvers.
- The Measurement Factory (dns.measurement-factory.com) also maintains a list of open resolvers and offers a free tool to test a single server to determine if it allows open recursion.
- DNSInspect (dnsinspect.com) is another free tool for testing DNS resolvers, and it can also test an entire DNS zone for other possible configuration and security issues.
- Administrators of DNS resolvers can take a number of steps to prevent their resources from being used in attacks, including:
- Source IP verification. Even well-configured DNS resolvers can be exploited by attackers who use source IP address spoofing to issue DNS queries. The Internet Engineering Task Force has released two Best Current Practice documents (tools.ietf.org/html/bcp38, tools.ietf.org/html/bcp84) that can help system administrators perform network ingress filtering, which rejects packets that appear to originate from addresses that cannot be reached via the paths the packets actually take.
- Disabling recursion on authoritative name servers. An authoritative name server is one that provides public name resolution for a specified domain (such as microsoft.com) and optionally one or more subdomains (such as www.microsoft.com). Because authoritative name servers must be publicly accessible, they should be configured to reject recursive queries from clients. For help disabling recursion in Windows Server, see â€œDisable Recursion on the DNS Serverâ€ at Microsoft TechNet (technet.microsoft.com).
- Limiting recursion to authorized clients. DNS servers that are deployed within an organization or Internet service provider (ISP) should be configured to perform recursive queries on behalf of authorized clients only, preferably restricted to clients within the organizationâ€™s network.
Although attacks on popular cloud services tend to make the most headlines, DDoS attacks canâ€”and doâ€”happen to anyone. In fact, well-run cloud services tend to be much better prepared to deal with DDoS attacks than most enterprise IT infrastructures, because successfully overwhelming a large cloud service requires a level of coordination that few prospective attackers are likely to achieve. Organizations that have struggled with DDoS attacks on their websites or other vital parts of their network infrastructures should consider moving some resources to the cloud to take advantage of the security and operations benefits that cloud services provide.
5 See https://www.us-cert.gov/ncas/alerts/TA13-088A for the full alert from US-CERT.