DNS-based DDoS attacks have gained mindshare among Akamai customers lately, most recently with last year's Dyn attacks (written about on the Akamai Blog here and here) and this week's attack against Cedexis. DNS infrastructure is a ripe target for malicious actors hoping to disrupt a digital property's availability because it provides the initial resolution for an end user's browser client from hostname to IP address. At best, an attack against your DNS records can significantly delay an end user's connection. At worst, it can render your application inaccessible to the end user, either through a denial of service or through a DNS record hijack or forgery. DNS attacks have consistently been one of the top attack vectors for DDoS, according to Akamai's recent security data.
While Akamai did not directly experience or mitigate the attacks against Cedexis, and cannot comment on the events surrounding their service disruption, we have seen many DNS-vector DDoS attacks. Please see Akamai's Quarterly Security State of the Internet Reports for Akamai's research and observations about historical DNS attacks. Stay tuned for Akamai's upcoming Q1 2017 report (May 16th) which highlights a specific attack method against DNS, the "slow drip" or "water torture" attack. Attacks against DNS infrastructure can take many forms, from registry hijacks routing end users to malicious IP addresses, all the way through overloading name servers that distribute DNS records to end users.
While metaphors abound for explaining DNS, because of its complexity and criticality to the Internet, the core protocols for DNS are comparatively simple: they specify how information is recorded in a Domain Name Resource Record, and how that information is transferred from machine to machine. At its core, they rely on hostnames - which specify a connection protocol (such as http or https), a domain name, which includes both the top-level domain (.com, for instance) and the second-level domain name (i.e. "akamai.com") that has been registered with an entity called a "registrar" - and IP addresses, which are the string of numbers that identify a network and a specific device in that network. DNS Resource Records can contain multiple kinds of information regarding those domain names and IP addresses, including an Address (A), that points to a single IP address, a Canonical Name (CNAME), that points to an alternate hostname with a valid A record, and an authoritative Name Server (NS) for the domain. There are other records that can be included in DNS Resource Records to specify additional information.
Once a Resource Record has been built and registered, it needs to be propagated so that the data can reach individual clients. There are many ways of transferring these data and routing end users based on destination IP addresses that vary based on the locus of authority, the number of recipients, and the load on any particular node in the system. Like Cedexis, Akamai uses anycast routing - often compared to other methods as "one-to-one-of-many" - for its Fast DNS product (but not its CDN), allowing us to load balance and route end users effectively. The benefits and drawbacks of an anycast solution are heavily influenced by the scale of the "many" involved in the implementation. Fast DNS has thousands of name servers and hundreds of points of presence, and uses segmented IP Anycast clouds to support both performance and availability goals for customers.
The final piece of DNS Infrastructure has to do with the process by which authoritative answers are received by an individual end user:
Their browser client will have a local cache of commonly used resolutions of hostname and IP address, these are typically configured to expire quite quickly. The operating system or other programs running on their device may also have a local cache;
Their ISP or network provider will have its own DNS server operating, typically recursively (i.e. without authority, only repeating the answers it has received that are still within their Time To Live (TTL) of trustworthiness;
Upstream there are authoritative name servers for both the TLD (.com) and SLD (akamai.com) that provide DNS records.
The recursive resolver is responsible for querying the authoritative services that will ultimately deliver the correct IP/name resolution to an end user. The resolver caches the authoritative responses it receives in order to speed up subsequent queries within the defined TTL for that answer. The way the resolver manages its cache can be the difference between a user encountering the dreaded "404-Page Not Found" message and the resolver returning a cached response or querying a secondary authoritative service to help deliver the resolution without failure. In its role as the primary "control point" for domain resolution, the recursive resolver is capable of helping end-users avoid exposure to malware-infected domains.
Building DNS Resilience
Gartner's Bob Gill, in an August 2015 report "If External DNS Fails, So Does Your Digital Business," (refreshed September 2016) recommends:
"Managed DNS can offer the scale and technology to mitigate distributed denial of service (DDoS) attacks against the DNS infrastructure, as well as outright hijacking of the DNS servers themselves. The opportunities come from the ability to improve resilience and performance of access to those DNS named resources, and improved business value of applications and content by directing users to the optimal resources, based on attributes such as global load balancing, application availability, application performance, user location, time of day, etc."
Akamai offers solutions to help at the authoritative and recursive resolution levels, global-scale segmented anycast clouds allow customers using Fast DNS to withstand attacks against their authoritative infrastructure in a sophisticated manner that balances performance and availability. Akamai's Fast DNS solution is well-distributed across networks, geographic regions, and allows for whitelisting and rate limiting, this flexibility ultimately means better, safer experiences for your end users. The resilience of the recursive resolver used during DNS resolution can add additional support to an end user's experience. Akamai's AnswerX is an example of a self-protecting recursive resolver, both in its clustered operation and its ability to rate limit queries. AnswerX is also highly flexible in terms of how it deals with slow or out-of-service authoritative services, and has a rich and dynamic policy implementation that can be used to protect end-users from malware, phishing attacks, and other malicious threats. You can learn more about Akamai's DNS product suite at https://www.akamai.com/us/en/solutions/why-akamai/dns-services.jsp and pay special attention to the May 2017 whitepaper on DNS resilience.
DNS resilience isn't achieved by just having one strong DNS provider - or even multiple strong DNS providers - it is an ongoing process that should be part of a comprehensive program for managing risks to and attacks against your business. Your critical applications, data centers, and DNS registrations may need more than a strong DNS solution, they may need contingency plans for complex or shifting attacks, or for reducing the risk of security events. DNS registry locks, zoned DNS records, comprehensive DDoS protections, and well-oiled security procedures are all part of the balanced, complete breakfast.
So What Next?
Cedexis was transparent about their problem and responsive to their customers during the attack itself; that is the next best thing to not going down. Availability is most businesses' primary goal for their online business, followed by minimizing the long-term damage to their customer relationships and reputation. Akamai built its core CDN business on availability, and has only improved on its product offerings to support that goal for its customers. If you have any questions at all about how Akamai's products can help you meet your performance or availability goals, please don't hesitate to reach out to your sales representative.