Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

2/8/2007
05:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

VeriSign Ups the DNS Ante

Tenfold capacity increase to DNS infrastructure, tighter security intended to blunt future DDOS attacks

VeriSign's decision today to beef up the capacity and security of its Domain Name Service (DNS) couldn't have come at a better time. (See VeriSign to Increase Capacity Tenfold.)

With this week's distributed denial-of-service (DDOS) attack on two of the Internet's 13 DNS root servers still fresh in everyone's minds and keeping Internet operators on the lookout for the other shoe to drop -- more heavily -- VeriSign had an especially sensitized audience for its announcement. Company officials say the upgrades had been in the works prior to the latest attack on the Internet's infrastructure. (See DNS Attack: Only a Warning Shot?.)

VeriSign will spend over $100 million in the expansion of its DNS infrastructure, in what it's calling Project Titan. The project, which is already underway, includes increasing VeriSign's daily DNS query capacity from 400 billion DNS queries per day to 4 trillion, and increasing bandwidth from over 20 Gbit/s to more than 200 Gbit/s, as well as distributing its server infrastructure to more locations for redundancy and the ability to isolate attacks locally. VeriSign runs two of the Internet's core root servers, which were spared in the recent DDOS attack.

Capacity is a key element in mitigating DDOS attacks, as is distributing servers geographically, since DDOS basically tries to drown DNS servers in bogus requests. Ken Silva, chief security officer at VeriSign, says the company will also enhance its security technologies with expanded anycasting, new network operations centers in Delaware and Europe, and next-generation monitoring and response systems that more proactively handle cyberthreats. The company unveiled its plans at the RSA Conference today in San Francisco.

Silva says VeriSign's buildout is a result of both the explosive growth of the Net -- expected to jump from 1 billion users today to 1.8 billion by 2010, thanks in part to an increase in Net-enabled wireless phones, VOIP, and IPTV -- and concerns about DNS security given the increase in these attacks.

"Nobody else is making an infrastructure investment like this... They are doing their [expansions] six to nine months out. We're looking at three to five years out," says Silva, who notes that VeriSign and other DNS root operators have been discussing how to best address the problem of the Net's growth as well as the growing bull's eye on DNS.

"You have to have the capacity and preparation for explosive growth in services and in attacks," he says.

Anycasting, the streaming of DNS queries to multiple severs so they don't get lost or clog a given server, was credited with helping mitigate the DDOS attack earlier this week.

Mark Jeftovic, founder and president of easyDNS Technologies, says VeriSign's buildout is part of a wider trend of DNS operators starting to build out their capacity as well as their mitigation strategies. "I know that commercial, second-level DNS providers like us, EveryDNS and DNS Made Easy, are all doing it. We've got to stay ahead of it now," he says.

EasyDNS uses a DOS-mitigation service provider Prolexic Technologies as well as more redundancy for its servers and plans to add more anycasting features soon, he says.

DNS has become a more popular target of late because it's tough to protect. It doesn't require a handshake between the attacker and the victim, notes VeriSign's Silva: "So you can put packets out there from any address, and the answers go off into the wild... And the attack can be repeated and amplified," he says.

Silva says VeriSign's DNS servers are attacked regularly, although it's not often publicized. The latest DNS attack, although not as big as one early last year on VeriSign's servers, he says, was only the tip of the iceberg. Some experts say it may have been a test-run for a larger attack.

"We have yet to see the biggest attack we're going to see," Silva warns. "We will see something much larger than what we've already seen. This was nothing but a warning and should be a wakeup call to all operators that the criticality of this infrastructure is such that we can't afford to be technology followers -- we have to be leaders."

And there are other threats related to DNS besides DDOS, he says. "In the long-term there are a number of DNS-related attacks that are not directed at DNS -- phishing and pharming, for example -- and we will be addressing them in our research and development efforts."

Still, the DNS root server is a very fragile target on the Internet. EasyDNS's Jeftovic says DNS name servers are hit regularly and it's so common that it rarely "makes the news anymore." But when a root server is knocked down, "it's game over," he says.

"If you knock down a root for a given top-level domain, it goes dark," he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • VeriSign Inc. (Nasdaq: VRSN)
  • EasyDNS

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Commentary
    Ransomware Is Not the Problem
    Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
    Edge-DRsplash-11-edge-ask-the-experts
    How Can I Test the Security of My Home-Office Employees' Routers?
    John Bock, Senior Research Scientist,  6/7/2021
    News
    New Ransomware Group Claiming Connection to REvil Gang Surfaces
    Jai Vijayan, Contributing Writer,  6/10/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: Google's new See No Evil policy......
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2005-0394
    PUBLISHED: 2021-06-18
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
    CVE-2007-3733
    PUBLISHED: 2021-06-18
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
    CVE-2021-21997
    PUBLISHED: 2021-06-18
    VMware Tools for Windows (11.x.y prior to 11.3.0) contains a denial-of-service vulnerability in the VM3DMP driver. A malicious actor with local user privileges in the Windows guest operating system, where VMware Tools is installed, can trigger a PANIC in the VM3DMP driver leading to a denial-of-serv...
    CVE-2021-26834
    PUBLISHED: 2021-06-18
    A cross-site scripting (XSS) vulnerability exists in Znote 0.5.2. An attacker can insert payloads, and the code execution will happen immediately on markdown view mode.
    CVE-2021-26835
    PUBLISHED: 2021-06-18
    No filtering of cross-site scripting (XSS) payloads in the markdown-editor in Zettlr 1.8.7 allows attackers to perform remote code execution via a crafted file.