Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 AM
Connect Directly

VeriSign Ups the DNS Ante

Tenfold capacity increase to DNS infrastructure, tighter security intended to blunt future DDOS attacks

VeriSign's decision today to beef up the capacity and security of its Domain Name Service (DNS) couldn't have come at a better time. (See VeriSign to Increase Capacity Tenfold.)

With this week's distributed denial-of-service (DDOS) attack on two of the Internet's 13 DNS root servers still fresh in everyone's minds and keeping Internet operators on the lookout for the other shoe to drop -- more heavily -- VeriSign had an especially sensitized audience for its announcement. Company officials say the upgrades had been in the works prior to the latest attack on the Internet's infrastructure. (See DNS Attack: Only a Warning Shot?.)

VeriSign will spend over $100 million in the expansion of its DNS infrastructure, in what it's calling Project Titan. The project, which is already underway, includes increasing VeriSign's daily DNS query capacity from 400 billion DNS queries per day to 4 trillion, and increasing bandwidth from over 20 Gbit/s to more than 200 Gbit/s, as well as distributing its server infrastructure to more locations for redundancy and the ability to isolate attacks locally. VeriSign runs two of the Internet's core root servers, which were spared in the recent DDOS attack.

Capacity is a key element in mitigating DDOS attacks, as is distributing servers geographically, since DDOS basically tries to drown DNS servers in bogus requests. Ken Silva, chief security officer at VeriSign, says the company will also enhance its security technologies with expanded anycasting, new network operations centers in Delaware and Europe, and next-generation monitoring and response systems that more proactively handle cyberthreats. The company unveiled its plans at the RSA Conference today in San Francisco.

Silva says VeriSign's buildout is a result of both the explosive growth of the Net -- expected to jump from 1 billion users today to 1.8 billion by 2010, thanks in part to an increase in Net-enabled wireless phones, VOIP, and IPTV -- and concerns about DNS security given the increase in these attacks.

"Nobody else is making an infrastructure investment like this... They are doing their [expansions] six to nine months out. We're looking at three to five years out," says Silva, who notes that VeriSign and other DNS root operators have been discussing how to best address the problem of the Net's growth as well as the growing bull's eye on DNS.

"You have to have the capacity and preparation for explosive growth in services and in attacks," he says.

Anycasting, the streaming of DNS queries to multiple severs so they don't get lost or clog a given server, was credited with helping mitigate the DDOS attack earlier this week.

Mark Jeftovic, founder and president of easyDNS Technologies, says VeriSign's buildout is part of a wider trend of DNS operators starting to build out their capacity as well as their mitigation strategies. "I know that commercial, second-level DNS providers like us, EveryDNS and DNS Made Easy, are all doing it. We've got to stay ahead of it now," he says.

EasyDNS uses a DOS-mitigation service provider Prolexic Technologies as well as more redundancy for its servers and plans to add more anycasting features soon, he says.

DNS has become a more popular target of late because it's tough to protect. It doesn't require a handshake between the attacker and the victim, notes VeriSign's Silva: "So you can put packets out there from any address, and the answers go off into the wild... And the attack can be repeated and amplified," he says.

Silva says VeriSign's DNS servers are attacked regularly, although it's not often publicized. The latest DNS attack, although not as big as one early last year on VeriSign's servers, he says, was only the tip of the iceberg. Some experts say it may have been a test-run for a larger attack.

"We have yet to see the biggest attack we're going to see," Silva warns. "We will see something much larger than what we've already seen. This was nothing but a warning and should be a wakeup call to all operators that the criticality of this infrastructure is such that we can't afford to be technology followers -- we have to be leaders."

And there are other threats related to DNS besides DDOS, he says. "In the long-term there are a number of DNS-related attacks that are not directed at DNS -- phishing and pharming, for example -- and we will be addressing them in our research and development efforts."

Still, the DNS root server is a very fragile target on the Internet. EasyDNS's Jeftovic says DNS name servers are hit regularly and it's so common that it rarely "makes the news anymore." But when a root server is knocked down, "it's game over," he says.

"If you knock down a root for a given top-level domain, it goes dark," he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • VeriSign Inc. (Nasdaq: VRSN)
  • EasyDNS

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Tor Weaponized to Steal Bitcoin
    Dark Reading Staff 10/18/2019
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    State of SMB Insecurity by the Numbers
    Ericka Chickowski, Contributing Writer,  10/17/2019
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-23
    Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
    PUBLISHED: 2019-10-23
    XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal.
    PUBLISHED: 2019-10-23
    XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response cap...
    PUBLISHED: 2019-10-23
    An issue was discovered on TerraMaster FS-210 4.0.19 devices. An authenticated remote non-administrative user can read unauthorized shared files, as demonstrated by the filename=*public*%25252Fadmin_OnlyRead.txt substring.
    PUBLISHED: 2019-10-23
    An issue was discovered on TerraMaster FS-210 4.0.19 devices. An unauthenticated attacker can download log files via the include/makecvs.php?Event= substring.