by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : February 2013
26 GCN FEBRUARY 2013 • GCN.COM FEATURE DENIAL OF SERVICE ATTACKS Denial of service attacks against the Domain Name System increased by 170 percent from 2011 to 2012, according to a recent analysis of security trends, but despite this growth little has been done to guard against them. DNS is a ubiquitous and promiscuous service that underlies much of the Internet s functions, mapping domain names to numerical IP addresses and relying on open, stateless protocols that have made it an easy target for DOS attacks. E ective defense will require imposing rules for the types and numbers of queries and connections DNS servers will accept, said Carl Herberger, vice president of security solutions at Radware. "The technology is out there, but it is not common," said Herberger, who participated in the study. To date, the common response to denial of service attacks against DNS has been overprovisioning capacity. But at some point this method becomes ine ective, as the number and sophistication of attacks increases. "We ve gotten to that point," he said. The increase in DNS attacks was noted in Radware s Global Application & Network Security Report for 2012. Although DNS attacks are not new, their use has grown over the past two years because the attacks bypass defenses against traditional distributed DOS attacks that overwhelm network resources with high volumes of malicious tra c. DNS is a di erent type of network service because it relies on stateless protocols that can be used to deliver attacks without establishing connections and it is open to unqualified or unauthorized queries. And because a small query can generate a much larger response, attacks can be highly asymmetrical. from unwanted or improper traffic. But while these steps can help reduce the attack surface, attacks still are possi- ble and can quickly overwhelm resources. And although a denial-of-service attack usually does not damage systems or steal information, neither are the attacking infrastructures affected by the defense; the attackers remain capable of launch- ing another attack as soon as the guard is lowered. MITIGATION AND DEFENSE As with any response, "the first thing to do is have a plan," said Marc Gaffan, co- founder of Incapsula, a provider of cloud- based DDOS mitigation services. "Recog- nize the fact that you are a potential target, and have a plan in place." US-CERT, in its advice to agencies, re- minds that plans need to include contact information, both for outside resources such as ISPs, hosting providers and secu- rity vendors, but also for in-house security and network teams. "Handling internal communications is of paramount importance in doing this well," said Quinn. Communications often break down in any emergency situation, and how smoothly the response is handled "has a huge impact beyond the technology used." "Having the proper processes and plans in place "is as important as having the right tools," said Arbor's Morales. One decision that needs to be made when anticipating a DOS attack is to deter- mine where responsibility for the response should reside. You might not want to treat it like other security incidents. "I tend to view the problem as focusing on availabil- ity," Quinn said. "I think it's better viewed as a disaster response or business conti- nuity issue" than as an incident such as a breach or other hack. If disaster response and security are handled by different teams in an organi- zation, putting the wrong team in charge of a DOS attack could cost valuable time. "DOS is effectively a manmade disaster that affects continuity," said Dan Holden, Arbor's director of security engineering and response. However you treat a DOS attack --- secu- rity event, disaster response or continuity of operations --- you need to recognize the attack to respond to it. The focus should first be on the characteristics of traffic com- ing into your systems, rather than their im- pact. If you do not identify the attack until your resources have been overwhelmed and you are offline to legitimate users, the attack already has succeeded and you have lost precious time in responding. This requires understanding the sig- natures and sources of malicious traffic. Blacklists of the IP addresses and domains of known bad actors can help, as can analysis of patterns to identify previously unknown sources of attacks. Malicious re- sources can be brought online quickly and moved to other platforms just as quickly, masking the source of an attack, so iden- tifying attack traffic requires an under- standing of the subtleties of the tools and techniques used. INTEL ON HACKERS This understanding comes from intelli- gence about hacker activities, and once again scale is the key. When it comes to intelligence, more is better, but it is not enough unless you have the resources to analyze and understand it, which can give a third party that specializes in security an advantage. Even something as simple as a blacklist requires resources to maintain properly. Can DNS be protected from spikes in attacks?