Innovation comes with its own set of challenges; one of which is explaining it in layman’s terms. As I was going through the end-of-quarter success stories asking our sales team why they won the deals they closed, I found this extraordinary analogy to explain our secure DNS offerings from one of our field specialists, Anton Holleman.
Anton explained how as a kid he often slept in the back seat of the car on trips with his family—without any seat belt. And it was pretty common practice and his parents were not really concerned or aware of the safety implications. Then Volvo introduced the concept of seat belts, and they became the norm. Today no one buys cars without them.
This is a good analogy for the state of awareness that organizations today have about the distributed denial of service (DDoS) attacks and how to guard against them. There is a lack of awareness of needing to secure DNS infrastructure and perhaps, ability to do so. I see so much confusion in customer conversations as people tend to lump all types of DDoS into a big bucket and expect a magic solution to solve it. Some feel that a single vendor DDoS solution will suffice. Others think that disastrous downtime from DDoS attacks is something that happens in the newspapers or movies only, and they are safe.
As enterprises in general face the reality of the DDoS threat—here are some things they should keep in mind about the diversity of attack types.
DDoS Attacks Happen at Different Layers.
This guide from the National Cybersecurity and Communications Center shows how DDoS can impact different areas of the OSI stack. And in a recent article in CSO online, Antone Gonsalves offers some perceptive comments on how DDoS attackers are using different techniques. The most recent report from Prolexic points out to the same fact.
If you think of it in a slightly different way, DDoS is just a symptom of the problem and not the cause. DDoS is a result of exploitation of most commonly used protocols like DNS, Chargen, and NTP. And while all of these protocols have been around for a while, it’s only in recent times that we have seen them being exploited to generate a blizzard of traffic resulting in a DDoS. Thanks to be power of cloud computing and botnets!
DNS Is a High-profile, Highly Vulnerable Target.
Why is the DNS protocol so popular with attackers? Because everybody depends on it in the Internet Age, and because it is vulnerable in more ways than one:
- It is asymmetric and easy to amplify.
- It is UDP based and easy to spoof.
- It is the fabric of the Internet and wide open in most firewalls.
In other words, it is the Achilles heel of the enterprise. Running your DNS servers without adequate protection against all the various types of DDoS attacks is a lot like barreling down the freeway at 70 miles per hour with your toddler in the back seat with no seatbelt on.
My advice? Protect what matters most. And don’t assume that all DDoS attacks are high-volume, bandwidth-based assaults that fill up the WAN link. There are many different kinds of DDoS attacks, and you need to defend against all of them.