Network Operators Speak Out on the Status of DNS Security

nestmarkersNetworking and Communications

Nov 20, 2013 (3 years and 8 months ago)


Arbor Networks

eighth annual
Worldwide Infrastructure Security Report
offers a clear view into today’s network security threats and mitigation
techniques. The report is based on survey data from 130 network opera
tors and service providers around the world. This document summarizes
the survey responses of DNS operators—providing insight into their most
critical security issues.
DNS Infrastructure Remains Vulnerable
Approximately 19 percent of respondents have no security group within their organiza
tions with formal responsibility for DNS security. This lack of security personnel, along
with the sizeable percentage of DNS operators reporting poor visibility and unrestricted
recursive servers, creates an ideal environment for attackers to exploit.
DNS Traffic Visibility
When asked if they have good visibility of traffic into or out of their DNS infrastructure,
29 percent of respondents reported that they lack visibility at Layers 3 and 4, while 73
percent lack visibility at Layer 7 (Figure 1).
Arbor Special Report
Highlights from Arbor Networks eighth annual
Worldwide Infrastructure Security Report
Network Operators Speak Out on the
Status of DNS Security
Have no dedicated group
responsible for DNS security.
Lack visibility into traffic on

their DNS infrastructure at
Layers 3 and 4, while 73%

lack Layer 7 visibility.
Permit unrestricted recursive
lookups by their DNS servers.
Reported customer-impacting
DDoS attacks on their DNS
infrastructure, over twice as
many as last year.
Witnessed DDoS attacks
against their authoritative

DNS servers, while 18%

lack the visibility to know

of such attacks.
Saw DNS cache-poisoning
attacks to or through their
DNS infrastructure, while 38%
lack the visibility to know of
such attacks.
DNS Traffic Visibility
Figure 1
Source: Arbor Networks, Inc.
DNS Traffic Visibility
Source: Arbor Networks, Inc.
Survey Respondents
71% Yes, Layers 3/4 Only
27% Yes, Layer 7
19% No
DNS Recursive Lookups Restricted
While 79 percent of respondents have implemented the best practice of restricting
recursive lookups by their DNS servers to queries located either on their own networks
or on those of their end users, 21 percent have not yet done so. This is almost an identi
cal result to last year’s survey. The lack of improvement has allowed large DNS reflective
attacks to continue.
Customer-Impacting DNS Attacks
Over one-quarter of respondents experienced customer-impacting DDoS attacks on
their DNS infrastructure during the survey period, compared to just 12 percent last year.
Sixteen percent lack the visibility to know if they experienced such attacks.
DDoS Attacks Against Authoritative and Recursive DNS Servers
Nearly 41 percent of respondents experienced DDoS attacks against their authoritative
DNS servers, while 25 percent experienced attacks against their recursive DNS servers

during the survey period. This year’s responses indicate a significant increase in DNS
attacks from last year, rising from 20 percent to 25 percent. Interestingly, over 18 percent of
respondents do not know whether they experienced such attacks during the survey period.
DNS Cache-Poisoning Attacks
Eighteen percent of respondents experienced DNS cache-poisoning attacks directed to
or through their DNS infrastructures during the survey period. Surprisingly, 38 percent do
not know whether or not they experienced these attacks—revealing a serious gap in DNS
server traffic visibility.
Issues with DNSSEC Functionality
Just over half of respondents did not observe any issues with DNSSEC functionality due
to the lack of EDNS0 and/or TCP/53 DNS support on the Internet at large, improving
slightly over last year’s 46 percent. However, 35 percent reported insufficient visibility to
make this determination—indicating a serious gap in DNS traffic analysis capabilities for
over one-third of respondents.
Impact of DNS Response Sizes on DDoS Attack Amplification
Nearly half of respondents do not believe that drastically increased DNS response sizes
have resulted in larger, more damaging DNS reflection/amplification attacks. As noted

in last year’s report, DDoS attack amplification leveraging DNSSEC has been observed

in the wild, in contrast with respondent views. This contradiction may be due to a lack

of Layer 7 DNS traffic visibility, as mentioned earlier.
DNS Security Measures
Respondents use a variety of security measures and tools to protect their DNS infrastruc
ture from DDoS attack. Over 53 percent have deployed an intelligent DDoS mitigation
system (IDMS). Over two-thirds have employed iACLs, with significant numbers also using
firewalls, IPS/IDS and other measures.
Much of the Internet’s DNS infrastructure remains open and unprotected—characterized
by a lack of dedicated security personnel, poor traffic visibility and unrestricted access to
DNS recursors. Yet security threats against DNS infrastructure are serious—and grow
ing. The largest DDoS attack (60 Gbps) reported by respondents this year targeted DNS
infrastructure. What’s more, over twice the number of respondents this year experienced
customer-impacting DDoS attacks on their DNS infrastructure compared to last year.
© 2013 Arbor Networks, Inc. All rights
reserved. Arbor Networks, the Arbor Networks
logo, Peakflow, ArbOS, How Networks Grow,
Pravail, Arbor Optima, Cloud Signaling, ATLAS
and Arbor Networks. Smart. Available. Secure.
are all trademarks of Arbor Networks, Inc.

All other brands may be the trademarks of

their respective owners.
Arbor Networks is a leading provider

of network security and management
solutions for enterprise and service
provider networks. Our proven solutions
help grow and protect our customers’
networks, businesses and brands.
Arbor’s unparalleled, privileged relation
ships with worldwide service and hosting
providers provide unequaled perspective
on Internet security and traffic trends

, a unique collaborative effort
with 250+ network operators across

the globe sharing 42 Tbps of traffic
information that informs numerous

business decisions.
Developed annually, Arbor’s
Infrastructure Security Report
offers a
rare view into the evolving global threat
landscape based on a series of surveys
completed by network operators from
around the world.
To access the complete report, please
Corporate Headquarters
76 Blanchard Road

Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267

T +1 781 362 4300
T +44 207 127 8147
Asia Pacific
T +65 6299 0695