Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

2/8/2007
05:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

VeriSign Ups the DNS Ante

Tenfold capacity increase to DNS infrastructure, tighter security intended to blunt future DDOS attacks

VeriSign's decision today to beef up the capacity and security of its Domain Name Service (DNS) couldn't have come at a better time. (See VeriSign to Increase Capacity Tenfold.)

With this week's distributed denial-of-service (DDOS) attack on two of the Internet's 13 DNS root servers still fresh in everyone's minds and keeping Internet operators on the lookout for the other shoe to drop -- more heavily -- VeriSign had an especially sensitized audience for its announcement. Company officials say the upgrades had been in the works prior to the latest attack on the Internet's infrastructure. (See DNS Attack: Only a Warning Shot?.)

VeriSign will spend over $100 million in the expansion of its DNS infrastructure, in what it's calling Project Titan. The project, which is already underway, includes increasing VeriSign's daily DNS query capacity from 400 billion DNS queries per day to 4 trillion, and increasing bandwidth from over 20 Gbit/s to more than 200 Gbit/s, as well as distributing its server infrastructure to more locations for redundancy and the ability to isolate attacks locally. VeriSign runs two of the Internet's core root servers, which were spared in the recent DDOS attack.

Capacity is a key element in mitigating DDOS attacks, as is distributing servers geographically, since DDOS basically tries to drown DNS servers in bogus requests. Ken Silva, chief security officer at VeriSign, says the company will also enhance its security technologies with expanded anycasting, new network operations centers in Delaware and Europe, and next-generation monitoring and response systems that more proactively handle cyberthreats. The company unveiled its plans at the RSA Conference today in San Francisco.

Silva says VeriSign's buildout is a result of both the explosive growth of the Net -- expected to jump from 1 billion users today to 1.8 billion by 2010, thanks in part to an increase in Net-enabled wireless phones, VOIP, and IPTV -- and concerns about DNS security given the increase in these attacks.

"Nobody else is making an infrastructure investment like this... They are doing their [expansions] six to nine months out. We're looking at three to five years out," says Silva, who notes that VeriSign and other DNS root operators have been discussing how to best address the problem of the Net's growth as well as the growing bull's eye on DNS.

"You have to have the capacity and preparation for explosive growth in services and in attacks," he says.

Anycasting, the streaming of DNS queries to multiple severs so they don't get lost or clog a given server, was credited with helping mitigate the DDOS attack earlier this week.

Mark Jeftovic, founder and president of easyDNS Technologies, says VeriSign's buildout is part of a wider trend of DNS operators starting to build out their capacity as well as their mitigation strategies. "I know that commercial, second-level DNS providers like us, EveryDNS and DNS Made Easy, are all doing it. We've got to stay ahead of it now," he says.

EasyDNS uses a DOS-mitigation service provider Prolexic Technologies as well as more redundancy for its servers and plans to add more anycasting features soon, he says.

DNS has become a more popular target of late because it's tough to protect. It doesn't require a handshake between the attacker and the victim, notes VeriSign's Silva: "So you can put packets out there from any address, and the answers go off into the wild... And the attack can be repeated and amplified," he says.

Silva says VeriSign's DNS servers are attacked regularly, although it's not often publicized. The latest DNS attack, although not as big as one early last year on VeriSign's servers, he says, was only the tip of the iceberg. Some experts say it may have been a test-run for a larger attack.

"We have yet to see the biggest attack we're going to see," Silva warns. "We will see something much larger than what we've already seen. This was nothing but a warning and should be a wakeup call to all operators that the criticality of this infrastructure is such that we can't afford to be technology followers -- we have to be leaders."

And there are other threats related to DNS besides DDOS, he says. "In the long-term there are a number of DNS-related attacks that are not directed at DNS -- phishing and pharming, for example -- and we will be addressing them in our research and development efforts."

Still, the DNS root server is a very fragile target on the Internet. EasyDNS's Jeftovic says DNS name servers are hit regularly and it's so common that it rarely "makes the news anymore." But when a root server is knocked down, "it's game over," he says.

"If you knock down a root for a given top-level domain, it goes dark," he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • VeriSign Inc. (Nasdaq: VRSN)
  • EasyDNS

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/5/2020
    How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
    Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
    Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: What? IT said I needed virus protection!
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-13897
    PUBLISHED: 2020-06-07
    HESK before 3.1.10 allows reflected XSS.
    CVE-2020-13894
    PUBLISHED: 2020-06-07
    handler/upload_handler.jsp in DEXT5 Editor through 3.5.1402961 allows an attacker to download arbitrary files via the savefilepath field.
    CVE-2020-13895
    PUBLISHED: 2020-06-07
    Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve secp256r1 (prime256v1). This could conceivably have a security-relevant impact if an attacker wishes...
    CVE-2020-13890
    PUBLISHED: 2020-06-06
    The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.
    CVE-2020-13889
    PUBLISHED: 2020-06-06
    showAlert() in the administration panel in Bludit 3.12.0 allows XSS.