inner_solutionsweprovide

Protecting DNS Infrastructure

The domain name system (DNS) is considered by many networking professionals to be the lifeblood of the Internet. To the common Internet user, DNS is transparent; users simply type the human friendly name of where they want to go into their Web browser (i.e., www.arbornetworks.com) and the site appears. In reality, the world’s DNS infrastructure is actually a very complex system of relationships, DNS registrars and a well-known hierarchy of distributed servers. Though the Internet’s overall DNS infrastructure is designed for fault tolerance, any individual node is actually very fragile and susceptible to simple administrative errors or malicious attacks such as Compromised DNS Administration, DNS Cache Poisoning, or DNS Amplification Attacks that exploit known DNS and IP vulnerabilities.

dashboard_sm

DNS Protection With Peakflow SP

The Arbor Peakflow SP solution is a network-wide infrastructure security and traffic monitoring platform. By leveraging IP flow data (i.e., NetFlow, sFlow, etc.) and information from deep packet inspection (DPI), Peakflow SP provides pervasive and cost-effective network and application-layer visibility. As Peakflow SP gathers this information, it learns normal traffic and routing behavior across hundreds of routers and thousands of interfaces, and correlates the traffic patterns with the topology data to build logical data models. Armed with this information, Peakflow SP notifies your operations staff and customers of significant changes to the network (a.k.a. network anomalies)—regardless of whether they are due to misconfiguration, equipment failure or a DDoS attack. In the case of DDoS attacks, Peakflow SP can detect many kinds of threats, such as high-bandwidth-consuming TCP and UDP floods; connection-layer exhaustion attacks (e.g., idle TCP connections); or attacks that target specific applications, such as HTTP, VoIP or DNS. In fact, since a majority of the world’s Internet service providers use Peakflow SP, many consider it to be the de facto standard for carrier-grade DDoS attack detection and surgical attack mitigation.

sp_tms

In order for DNS attack detection and surgical mitigation to occur, the Peakflow SP solution relies upon the capabilities of one of its most vital components—Peakflow SP TMS . Peakflow SP TMS is a robust application-intelligent system for multi-service converged networks that speeds remediation by coupling high-level threat identification with packet level analysis. Peakflow SP TMS provides visibility into critical applications running on the network (i.e., DNS, VoIP/SIP, HTTP, P2P, etc.); monitors key performance metrics (packet loss, delay, jitter); and delivers application-layer attack detection, surgical mitigation and reporting.

Peakflow SP TMS detects and surgically mitigates many different types of DNS attacks using specially designed DNS attack countermeasures such as:

  • DNS Authentication – This countermeasure can protect a customer’s network against spoof attacks or unsophisticated attack tools. DNS authentication works to ensure that sourced queries to a DNS server, resolver or authoritative servers are in fact coming from a valid host.
  • DNS Query Rate Limiting – This countermeasure protects against attacks from legitimate hosts who are performing a high rate of DNS queries.
  • DNS Non-Existent Domain (NXDOMAIN) Rate Limiting - The countermeasure can protect against DNS cache poisoning and dictionary attacks. This countermeasure monitors the response packets and looks for hosts that are sending requests that cause NXDOMAIN responses to be generated.
  • DNS Malformed Filtering – This countermeasure ensures that the DNS payload in TCP/UDP port 53 packets is present and not simply a garbage packet sent to the DNS service.
  • DNS Regular Expressions (RegEx )- This countermeasure is a powerful way to look for a string of text in the payload of any DNS packet.
  • Packet capture - In addition to DNS specific attack counter measures Peakflow SP TMS has the ability to conduct on demand packet capture and protocol decode of DNS traffic.

In addition to DNS specific attack counter measures and decode, Peakflow SP can produce real-time and historical DNS related reports such as:

  • DNS Requests Type
  • Top FQDN Queries
  • Top Failed (NXDOMAIN) FQDN Queries
  • Top RDN Queries
  • Top Failed (NXDOMAIN) RDN Queries