DNS DDoS: Downtime is just the tip of the iceberg

By Donny Chong, Director Nexusguard

DDoS attacks come with significant financial costs for any organization, no matter the sector. The average cost of a service disruption is estimated to be in the region of £325,000 per attack, and any organization could be hit next. For telecom operators, however, the odds are slightly higher.

Over the last few years, the average number of attempted DDoS attacks on telecom providers has jumped from one or two to 100+ per day. Threat actors are increasingly targeting telecom providers as a gateway to disrupting not only their networks, but all organizations who rely on them. This favoring of providers as a target seems to be here to stay. As telcos rush to shore up their defenses, there’s one weak point they should be paying particular attention to – Domain Name Systems (DNS). As a DDoS target, they don’t just cause downtime – they also bring some lesser-known hidden costs for organizations that fail to secure them.

DNS? That old thing?
DNS is a stalwart of the internet, underpinning every organization’s internet presence. They’re so heavily used that they’re often taken for granted. More commonly known as the ‘internet phonebook’, they convert domain names as a human would read them (www.) into machine-friendly IP addresses (123.4.5.67). These translation requests (DNS queries) occur each time a website receives a visitor. And unlike most other systems that underpin the internet, DNS responds to every single request, without filtering or screening for legitimacy. While this does create a smoother
internet experience, it also leaves a vulnerability open for threat actors to exploit.

Much like other DDoS attack vectors, DNS attacks often lead to extensive downtime that ultimately impacts business reputation and revenue. In extreme cases, these outages can contribute to customer dissatisfaction or even lead to legal action when Service Level Agreements (SLAs) are breached. In the case of telecom providers, who often have thousands of customers reliant on their networks, these effects can be catastrophic.

With the sheer amount of different DDoS vectors out there for attackers to choose from, mitigation is only becoming more complex. It’s no wonder that DNS often fails to make it into the top priorities, but many organizations fail to see the hidden costs this brings with it.

The rest of the iceberg
Because DNS lacks any built-in validation or screening processes, it's a popular target for threat actors who can easily flood them with waves of illegitimate requests that can impact services. But, these outages have unexpected consequences. While enterprise-grade systems are built to handle vast amounts of requests as part of day-to-day operations, their billing systems aren’t so robust.

DNS service providers often operate on a pay-as-you-go method, charging customers based on the total amount of DNS requests received throughout the course of each billing cycle. Under normal circumstances, this is the most logical way to charge, with organizations only paying for what they use. However, throughout a DNS-based DDoS attack, organizations can receive request amount that dwarf their usual totals, causing bills to increase drastically. Due to the nature of DNS, even malicious requests are treated the same as legitimate requests, adding to the monthly bill tally. So, even after DDoS-fuelled downtime and all the recovery has been dealt with, organizations could still be hit with vastly inflated DNS service bills.

Sounding the DNS alarm
While other DDoS attack vectors might hog the headlines, telecom providers shouldn’t be blinded by the hype. Despite being less well-known, DNS attacks can bring not just downtime but additional bills to the damage tally after an attack. Telecom providers need to address their DNS defenses as a matter of urgency, they can’t afford to push them further down the priorities. A quick fix now could save you, in more ways than one, later down the line.

Thankfully, shoring up DNS defenses isn’t as tricky as you might fear. As with all cybersecurity, organizations need to start with the basics. For those without any protection, implementing rate-limiting and filtering services to screen out malicious requests and prevent them from reaching DNS servers in the first place will boost their security instantly. Not only will this prevent DNS-fulled downtime, but it’ll also prevent illegitimate requests from driving up DNS bills. And for those looking to take one step further, moving to a DNS provider with a flat-rate model could also be an avenue to consider to eliminate the threat of bloated bills.

For telecom providers in particular, the defenses they choose to implement are secondary. What should come first is action, and now. With telecoms-targeted attacks on the rise, these already-expensive additional costs could skyrocket further if action isn’t taken – and with the solution right in front of you, why not use it?

Source: https://totaltele.com/dns-ddos-downtime-is-just-the-tip-of-the-iceberg/