VeriSign's decision today to beef up the capacity and security of its Domain Name Service (DNS) couldn't have come at a better time. (See VeriSign to Increase Capacity Tenfold.)
With this week's distributed denial-of-service (DDOS) attack on two of the Internet's 13 DNS root servers still fresh in everyone's minds and keeping Internet operators on the lookout for the other shoe to drop -- more heavily -- VeriSign had an especially sensitized audience for its announcement. Company officials say the upgrades had been in the works prior to the latest attack on the Internet's infrastructure. (See DNS Attack: Only a Warning Shot?.)
VeriSign will spend over $100 million in the expansion of its DNS infrastructure, in what it's calling Project Titan. The project, which is already underway, includes increasing VeriSign's daily DNS query capacity from 400 billion DNS queries per day to 4 trillion, and increasing bandwidth from over 20 Gbit/s to more than 200 Gbit/s, as well as distributing its server infrastructure to more locations for redundancy and the ability to isolate attacks locally. VeriSign runs two of the Internet's core root servers, which were spared in the recent DDOS attack.
Capacity is a key element in mitigating DDOS attacks, as is distributing servers geographically, since DDOS basically tries to drown DNS servers in bogus requests. Ken Silva, chief security officer at VeriSign, says the company will also enhance its security technologies with expanded anycasting, new network operations centers in Delaware and Europe, and next-generation monitoring and response systems that more proactively handle cyberthreats. The company unveiled its plans at the RSA Conference today in San Francisco.
Silva says VeriSign's buildout is a result of both the explosive growth of the Net -- expected to jump from 1 billion users today to 1.8 billion by 2010, thanks in part to an increase in Net-enabled wireless phones, VOIP, and IPTV -- and concerns about DNS security given the increase in these attacks.
"Nobody else is making an infrastructure investment like this... They are doing their [expansions] six to nine months out. We're looking at three to five years out," says Silva, who notes that VeriSign and other DNS root operators have been discussing how to best address the problem of the Net's growth as well as the growing bull's eye on DNS.
"You have to have the capacity and preparation for explosive growth in services and in attacks," he says.
Anycasting, the streaming of DNS queries to multiple severs so they don't get lost or clog a given server, was credited with helping mitigate the DDOS attack earlier this week.
Mark Jeftovic, founder and president of easyDNS Technologies, says VeriSign's buildout is part of a wider trend of DNS operators starting to build out their capacity as well as their mitigation strategies. "I know that commercial, second-level DNS providers like us, EveryDNS and DNS Made Easy, are all doing it. We've got to stay ahead of it now," he says.
EasyDNS uses a DOS-mitigation service provider Prolexic Technologies as well as more redundancy for its servers and plans to add more anycasting features soon, he says.
DNS has become a more popular target of late because it's tough to protect. It doesn't require a handshake between the attacker and the victim, notes VeriSign's Silva: "So you can put packets out there from any address, and the answers go off into the wild... And the attack can be repeated and amplified," he says.
Silva says VeriSign's DNS servers are attacked regularly, although it's not often publicized. The latest DNS attack, although not as big as one early last year on VeriSign's servers, he says, was only the tip of the iceberg. Some experts say it may have been a test-run for a larger attack.
"We have yet to see the biggest attack we're going to see," Silva warns. "We will see something much larger than what we've already seen. This was nothing but a warning and should be a wakeup call to all operators that the criticality of this infrastructure is such that we can't afford to be technology followers -- we have to be leaders."
And there are other threats related to DNS besides DDOS, he says. "In the long-term there are a number of DNS-related attacks that are not directed at DNS -- phishing and pharming, for example -- and we will be addressing them in our research and development efforts."
Still, the DNS root server is a very fragile target on the Internet. EasyDNS's Jeftovic says DNS name servers are hit regularly and it's so common that it rarely "makes the news anymore." But when a root server is knocked down, "it's game over," he says.
"If you knock down a root for a given top-level domain, it goes dark," he says.
Kelly Jackson Higgins, Senior Editor, Dark Reading