By EdgeCast’s Route DNS team
Just this past August, in the midst of political instability within Syria, The New York Times was defaced by means of a DNS attack (screenshot of nytimes.com above). This attack, taken credit by the Syrian Electronic Army, was not only embarrassing to The New York Times, it was expensive as well.
$383,760 in lost advertising revenue
Based upon a quarterly reported digital ad revenue of $51.2 million, The Washington Post estimated lost advertising revenues to The New York Times at $5.33 per second. CNN reported that the Syrian Electronic Army claimed to have “hobbled the Times’ news site for roughly 20 hours,” which resulted in a loss of digital advertising revenue to The New York Times of approximately $383,760.
A small, yet critical infrastructure piece
How did a major website such as The New York Times go down? Wouldn’t such a major media outlet have multiple layers of technical redundancy in place to handle any potential system fault or failure? In fact, The New York Times had neglected one small but critical portion of their infrastructure: DNS (Domain Name Service). By exploiting the DNS infrastructure supporting The New York Times, hackers brought the entire website to its knees.
The role of DNS
DNS, Domain Name Service, provides some basic Internet functions, such as translating a human-readable domain name to a machine-usable numeric IP address, as well as more advanced capabilities such as load balancing and policy-based routing. Unfortunately, most organizations tend to ignore their DNS providers, leaving themselves exposed to a variety of vulnerabilities ranging from social engineering, software bugs, and DDoS attacks.
DNS records are often not protected with the same level of access control, such as two-factor authentication, making them vulnerable to social engineering attacks, including phishing. Servers running obsolete versions of DNS software are particularly vulnerable to attacks from well-known software exploits.
Mitigating risks, avoiding attacks
Modern DNS software, unfortunately not run by all providers across the Internet, has advanced capabilities for handling such attacks. Network providers often underprovision their DNS infrastructure, leaving themselves at risk of DDoS attacks. Without a large installed base of DNS hardware running Anycast, a provider’s DNS network can be taken offline during a DDoS attack, bringing the dependent websites down as well.
Have you taken a look at your DNS infrastructure recently? Is the investment that you’re making in DNS proportional to the rest of your website? Spending even a few minutes looking at how you’re handling DNS is well worth the investment if it prevents even just a few minutes of website outage.