One year since the Dyn attack: Have attitudes to DNS security changed?
One year since the Dyn attack: Have attitudes to DNS security changed?

This month marks ten years since the huge scale attack on internet performance management company Dyn, which brought down sites including online giants Twitter, Amazon, AirBnB, and Spotify.

 

With Dyn controlling a large portion of the internet's domain name system (DNS), the distributed denial of service (DDoS) attack managed to disrupt much of the Internet.

 

At the time, many experts in the space pointed out that the attack highlighted that DNS is an extremely vulnerable threat vector. The fact that an attack on a singular provider had such a widespread impact illustrated the vulnerability of a hyper-connected and concentrated ecosystem.

 

The attack was so disruptive because some businesses relied entirely on a cloud-based DNS service and didn't put in place a backup plan. While a cloud-first strategy often makes sense, applying it in all situations or in isolation without a plan B does not. Say you invest in one DNS provider like Dyn - perhaps someone has a vendetta against Twitter and decides to take Twitter down through its DNS services. You and all of the cloud provider's customers, who you probably weren't even aware of until this point, are then caught in Twitter's dragnet. For this reason, one ‘big fish' attack can easily take down the entire pond.

 

Have attitudes changed?

 

Twelve months on, Infoblox researched the behaviour and opinions of over 1,000 security and IT professionals worldwide, to see if last year's major attack served as a wake-up call.

 

The results were disappointing – despite the disruption last year, just 11 percent of companies have dedicated security teams managing DNS, showing DNS security is still not the priority it needs to be. IT leaders admitted that 86 percent of their DNS solutions failed to first alert teams of an occurring DNS attack, and nearly one-third of professionals doubted their company could defend against the next DNS attack.

 

DNS is the one of the most critical services in a business' infrastructure. Without DNS, almost all business applications and services are unreachable, bringing businesses to a grinding halt and impacting revenue, brand, reputation and customer satisfaction.

 

Yet, Infoblox research shows that businesses are continuing to fall victim to DNS attacks. Three out of 10 companies had already been victims of DNS attacks. Of those, 93 percent had suffered downtime as a result of their most recent DNS attack.

Once websites are rendered inaccessible, all digital business and revenue comes to a halt, while internal resources are redirected to resolving the attack rather than driving the business. As a result, many of those Infoblox researched had experienced a significant impact to their bottom line; 24 percent of companies lost £75,000 or more from their last DNS attack and 54 percent lost £35,000 or more. Destruction from these DNS attacks also came in the form of reputation damage; 20 percent of companies were first alerted to DNS attacks by customer complaints, meaning it had already impacted their business, reputation and customer satisfaction, before businesses were even aware of it.

As part of Infoblox research, companies who had never experienced a DNS attack were queried and it was found that just 26 percent of those considered DNS security to be their top security focus. Interestingly, the same question was asked of those who had fallen victim to a DNS attack and over 70 percent listed DNS security as their number one priority. It's concerning to see that businesses are taking such a reactionary approach, failing to prioritise DNS security until their company has been attacked and suffered a tangible business loss. Unless today's organisations begin moving to a proactive approach, DDoS attacks such as the one on DNS provider Dyn will become more pervasive.

Time to prioritise DNS

While the Dyn attack served as dramatic proof of the effects of DNS attacks, one year on we're still seeing companies neglect DNS security. The issue is that most organisations regard DNS as simply plumbing rather than critical infrastructure that requires active defence. If we don't see a fundamental shift in business attitudes to DNS, it will remain one of our most vulnerable Internet systems, and we'll continue to see events like last year's Dyn attack wreaking havoc on a global scale.

Contributed by Dr Malcolm Murphy, technology director, Western Europe at Infoblox

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.