Current DNS Filtering Security Solutions Won’t Protect You!
Reading, UK, January 8th, 2015 : On Dec 22nd, Rackspace stated on their official Google+ page that their DNS suffered a DDoS attack on 3 of their data centers. Their services were restored after 12 hours. When they discovered the attack they tried to mitigate it by blocking inbound traffic. Most of the time the blocking mechanism is done through filtering of DNS queries; unfortunately, it is very difficult and almost impossible to filter legitimate versus non-legitimate traffic. The impact of filtering can result in the blocking of legitimate traffic. Rackspace said that, “In order to stabilize the issue, our teams placed the impacted DNS infrastructure behind mitigation services. This service is designed to protect our infrastructure, however, due to the nature of the event, a portion of legitimate traffic to our DNS infrastructure may be inadvertently blocked. Our teams are actively working to mitigate the attack and provide service stability.” They added later on that, “After blocking the majority of the inbound DDoS attack earlier in the morning some DNS servers that were sending both legitimate and DDoS traffic to Rackspace were blacklisted.” The filtering protection mechanism can even become a driving mechanism used by hackers at the expense of the cus- tomer it is supposed to protect. To avoid the risk of «false positive», the filtering system should be able to start doing the analysis at the DNS transaction level over a period of time in order to rebuild all DNS messages (queries, res- ponses, fragments, recursions) and resolutions requested by customers. The system should store, index and analyze very large amounts of data while answering simultaneously to legitimate traffic, all without causing additional latency in time. With existing solutions, it is almost impossible to achieve and the unfortunate events that Rackspace experienced prove this. Read More