Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 AM
Connect Directly

VeriSign Ups the DNS Ante

Tenfold capacity increase to DNS infrastructure, tighter security intended to blunt future DDOS attacks

VeriSign's decision today to beef up the capacity and security of its Domain Name Service (DNS) couldn't have come at a better time. (See VeriSign to Increase Capacity Tenfold.)

With this week's distributed denial-of-service (DDOS) attack on two of the Internet's 13 DNS root servers still fresh in everyone's minds and keeping Internet operators on the lookout for the other shoe to drop -- more heavily -- VeriSign had an especially sensitized audience for its announcement. Company officials say the upgrades had been in the works prior to the latest attack on the Internet's infrastructure. (See DNS Attack: Only a Warning Shot?.)

VeriSign will spend over $100 million in the expansion of its DNS infrastructure, in what it's calling Project Titan. The project, which is already underway, includes increasing VeriSign's daily DNS query capacity from 400 billion DNS queries per day to 4 trillion, and increasing bandwidth from over 20 Gbit/s to more than 200 Gbit/s, as well as distributing its server infrastructure to more locations for redundancy and the ability to isolate attacks locally. VeriSign runs two of the Internet's core root servers, which were spared in the recent DDOS attack.

Capacity is a key element in mitigating DDOS attacks, as is distributing servers geographically, since DDOS basically tries to drown DNS servers in bogus requests. Ken Silva, chief security officer at VeriSign, says the company will also enhance its security technologies with expanded anycasting, new network operations centers in Delaware and Europe, and next-generation monitoring and response systems that more proactively handle cyberthreats. The company unveiled its plans at the RSA Conference today in San Francisco.

Silva says VeriSign's buildout is a result of both the explosive growth of the Net -- expected to jump from 1 billion users today to 1.8 billion by 2010, thanks in part to an increase in Net-enabled wireless phones, VOIP, and IPTV -- and concerns about DNS security given the increase in these attacks.

"Nobody else is making an infrastructure investment like this... They are doing their [expansions] six to nine months out. We're looking at three to five years out," says Silva, who notes that VeriSign and other DNS root operators have been discussing how to best address the problem of the Net's growth as well as the growing bull's eye on DNS.

"You have to have the capacity and preparation for explosive growth in services and in attacks," he says.

Anycasting, the streaming of DNS queries to multiple severs so they don't get lost or clog a given server, was credited with helping mitigate the DDOS attack earlier this week.

Mark Jeftovic, founder and president of easyDNS Technologies, says VeriSign's buildout is part of a wider trend of DNS operators starting to build out their capacity as well as their mitigation strategies. "I know that commercial, second-level DNS providers like us, EveryDNS and DNS Made Easy, are all doing it. We've got to stay ahead of it now," he says.

EasyDNS uses a DOS-mitigation service provider Prolexic Technologies as well as more redundancy for its servers and plans to add more anycasting features soon, he says.

DNS has become a more popular target of late because it's tough to protect. It doesn't require a handshake between the attacker and the victim, notes VeriSign's Silva: "So you can put packets out there from any address, and the answers go off into the wild... And the attack can be repeated and amplified," he says.

Silva says VeriSign's DNS servers are attacked regularly, although it's not often publicized. The latest DNS attack, although not as big as one early last year on VeriSign's servers, he says, was only the tip of the iceberg. Some experts say it may have been a test-run for a larger attack.

"We have yet to see the biggest attack we're going to see," Silva warns. "We will see something much larger than what we've already seen. This was nothing but a warning and should be a wakeup call to all operators that the criticality of this infrastructure is such that we can't afford to be technology followers -- we have to be leaders."

And there are other threats related to DNS besides DDOS, he says. "In the long-term there are a number of DNS-related attacks that are not directed at DNS -- phishing and pharming, for example -- and we will be addressing them in our research and development efforts."

Still, the DNS root server is a very fragile target on the Internet. EasyDNS's Jeftovic says DNS name servers are hit regularly and it's so common that it rarely "makes the news anymore." But when a root server is knocked down, "it's game over," he says.

"If you knock down a root for a given top-level domain, it goes dark," he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • VeriSign Inc. (Nasdaq: VRSN)
  • EasyDNS

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/2/2020
    Ripple20 Threatens Increasingly Connected Medical Devices
    Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
    DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
    Dark Reading Staff 6/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-02
    Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
    PUBLISHED: 2020-07-02
    A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.