Arbor Networks has released its twelfth annual Worldwide Infrastructure Security Report (WISR), singling out the Domain Name System (DNS) as one of the Internet services most targeted by DDoS attacks and saying it remains the Achilles Heel of global Internet infrastructure.
“DNS was not only the most heavily abused protocol for reflection/amplification DDoS attacks [in 2016], but an attack targeting a specific DNS provider was also the cause of the most widespread Internet outage of 2016,” the report says. (In October 2016 an attack against the authoritative DNS provider Dyn resulted in outages for various Internet services on the east coast of the USA.)
For the past two years, Arbor has included a specific breakout section in the report on reflection/amplification attack vectors to provide additional detail on their evolution and use.
It said that, during 2016, reflection/amplification attack vectors continued to be leveraged by attackers around the globe, but: “The big change this year is the strong resurgence of DNS as the dominant protocol being leveraged for reflection/ amplification. Throughout this year, the number of DNS reflection/amplification attacks being tracked per week nearly doubled, from approximately 10,500 to 18,500 — representing a significant shift.”
In 2016, DNS was also the most common service targeted by application-layer attacks, reported by 81 per cent of respondents. HTTP had been the top targeted service prior to 2016, and it still remains very close.
Arbor reported that DDoS attacks are now targeting authoritative DNS servers more frequently than recursive servers. Thirty per cent of respondents saw attacks targeting recursive DNS servers, down from 34 per cent last year. The data for authoritative DNS servers showed a swing in the other direction, with 34 per cent experiencing attacks, up from 29 per cent last year.
DNS security an afterthought
At the same time, Arbor said that DNS infrastructure continued to be an afterthought for many organisations, be they service providers or enterprises. It said the percentage of DNS operators with a dedicated security function for DNS had fallen to 22 per cent from 28 per cent last year.
It described this as “a significant drop and a disappointing result,” adding: “While many organisations pursue outsourcing, machine learning or automation strategies to help fill the gap, increased efficiency and organic growth of internal teams will also prove vital.”
The report concluded: “Understanding and protecting the increasingly complex mesh of connectivity in which we exist is an ongoing challenge … exacerbated by the global shortage of security professionals, a problem that is only predicted to get worse in the near future.”
Arbor was also concerned by the uptick in the number of enterprises running their own DNS servers: Up from 65 per cent last year to 75 per cent this year. “It is very surprising to see enterprises taking more control of critical infrastructure such as DNS rather than relying on dedicated DNS providers,” Arbor said.
On a more positive note the report said: “Visibility into DNS traffic has improved. Three quarters of this year’s respondents cite visibility at Layers 3/4, up from 63 percent last year.”
The report said the security measures used to protect DNS infrastructure differed significantly between service provider and enterprise respondents. “For service providers, intelligent DDoS mitigation systems (IDMS) are the most popular choice, with [access control lists] and firewalls in second and third place respectively. For enterprise respondents, the technologies used are quite different, with firewalls, IPS/IDS and [access control lists] being the top three choices. Enterprises still prefer generic security solutions to those that are specifically designed to protect infrastructure from the DDoS threat.”
Release of the report coincided with release of Deloitte’s 2016 Technology, Media and Telecommunications Predictions in which Deloitte said it expected to see an average of one 1Tbps DDoS attack per month and a total of more than 10 million DDoS attacks in 2017.