This year, EfficientIP conducted one of the largest surveys of organizational understanding of DNS security, exploring attitudes to risk and examining the effectiveness of current DNS security models. Responses varied around the world, and so in a series of blog posts we’re going to highlight some key regional differences, looking at the EU, APAC, and in this first post, the United States.
Getting DNS security right is increasingly important. Over the last few years there has been a shift in how attackers work. That’s because improved security in firewalls, operating systems, and other elements of our network architectures have been widely deployed. These changes mean attackers now have to find new routes into a business’ system, with the DNS as a key avenue for both disruption and intrusion.
It’s not surprising DNS is under threat- organizations often ignore this critical infrastructure and use default security solution rather than investing in newer DNS security technologies. Despite the DNS’s role in providing the glue that holds the Internet together, 30% of US survey respondents didn’t feel DNS security was critical to their businesses.
The message from the report is that the risk is real, and quantifiable. Of the US businesses surveyed, 43% had application downtime as a result of attacks in DNS, with nearly 25% having their websites and ecommerce systems compromised. Those attacks took time to resolve – 40% needed 6 hours or more to get back online, with a further 30% experiencing an outage of more than an hour. That downtime costs money, with almost 10% of US respondents losing between $1M and $5M.
So what can you do to improve your DNS to make your organization more secure than your competitors?
First, you should look at moving away from the default UNIX and Windows DNS servers, and look at technologies like hybrid DNS that allow you to quickly switch between different DNS technologies. It’s important to note DNS security alone isn’t enough: 70% of survey respondents have DNS security systems in place. That’s a start…but when only 40% are using analytics to monitor and analyze their DNS traffic, it means they’re letting it run and not making decisions based on their findings.
Next, you should be taking advantage of analytics to help you take the right actions and decisions in the event of an attack. By knowing what to do and when to do it, you’re going to have an advantage over the remaining 60% of US businesses, as you won’t need to turn off live sites during an attack (like 25% of companies did when they experienced an attack on their DNS).
Shutdown and service interruption is exactly what many attackers want. Businesses may have protected their core systems, but they let the attackers win at the same time. Protecting DNS using modern adaptive techniques doesn’t just save your business from loss, it also reduces your IT costs. 43.7% of respondents had between 1-3 people involved for attack mitigation, and almost 22% had more than 4. Depending on the size of a company, this could be a lot of people! Additionally, they could be coming in outside of normal working hours or taken away from other critical tasks.
Another advantage in moving away from traditional DNS servers is that a dedicated system can handle a lot of traffic at surprisingly low cost. If you’re unable to block an attack by other means, merely being able to absorb everything an attacker can bring to bear can have a significant impact. One third of attacks on US DNS servers were over 5 million queries per second, with 12% above 10M QpS. If their DNS systems can handle 10M QpS, 88% of US businesses will be able to stay online throughout an attack.
Building a DNS system to handle that level of traffic can be complex, requiring up to 30 servers (along with the associated demands of power, cooling, licensing, training, management, and maintenance). That means you need to choose wisely, and take advantage of the consolidation options that are available.
While the US clearly has issues with regards to some aspects of DNS security, it’s ahead of the world in others. One such aspect is just how quickly its businesses respond to vulnerability notifications: the US outperformed Asia (31.5% of businesses vs. 21.8% took less than a day, and 8.6% vs. 14.4% took more than a week) meaning they have more chances to prevent the negative effects of DNS attacks.
What does it all mean?
While a majority of respondents said they had implemented some form of DNS security, there were still attacks being carried out and IT departments struggling to mitigate them quickly to avoid damage. This fact makes it clear that the DNS security tools and techniques currently being used are ineffective and/or inefficient.
Now is the time to start rethinking the security, structure and logistics of your network – before an attack takes down your services, applications and above all, costs you millions of dollars.