This story has been told thousands of times before – a botnet is born, a botnet goes down, a botnet tries to get its bots back together. But the story of Necurs is unique.
2014 saw numerous huge spikes in DDoS traffic – some as large as 5 billion queries per day across Nominum worldwide data set which covers around 3% of overall ISP DNS traffic. Extrapolating, this meant more than 150 Billion unwanted queries across the Internet on the peak days.
DNS DDoS continues on the trend line established in 2014 – with tens of billions of malicious queries Internet-wide every day. Many of the domains attacked are lightly trafficked, but popular (Alexa 5000) domains are commonly targeted. For example alternative news sites, a university, and ecommerce sites have been attacked in the past couple of months. Attacks on popular domains require extra care when mitigating to avoid blocking legitimate queries.
Nominum Research shows about 15% of DNS DDoS traffic is amplification yet it still has impact (the rest are random subdomains). Data also shows bad guys continue to leverage open DNS resolvers which after more than 2 years might be considered an “old-days” technique, yet there are still around 17 million of them on the Internet. More recently our research teams have seen bots sending amplification queries.
Network Functions Virtualization (NFV) is getting a lot of attention in Telecom circles these days. Initiated by leading providers around the world the NFV effort now has more than 150 participants crossing all of the functional boundaries in networking. NFV has been motivated by the astonishing array of appliances that have crept into provider networks. Even DNS appliances have emerged but the value proposition is almost exclusively around convenience rather than optimizing DNS for carrier environments.
Spam is a never-ending problem for service providers. Unfortunately criminals can still make money at someone else’s expense so they persist in their mindless campaigns. The DNS is an integral part of well-established techniques for handling incoming spam, so unwanted mail doesn’t get delivered to inboxes.
Network operators and IT departments constantly reassess their security exposure and evaluate the best methods for protecting their networks and end users. New security solutions are always emerging to help them and one that’s starting to receive a lot of attention is the DNS. That’s raising an obvious question: “how in the world does the DNS become a security platform?”.
Just as it’s important for service providers and enterprises to maximize the performance and availability of their caching DNS servers, it’s important for brand owners and IT departments to ensure the robustness of their Authoritative DNS. Some of the issues are similar, but ensuring security of Authoritative data also has to be considered.