The Research and Education Networking Information Sharing and Analysis Center, or REN-ISAC, recently issued an alert to administrators and IT staffers at some of the world’s most notable institutions of higher learning that urges them to take the matter of securing DNS seriously.
The REN-ISAC alert cites the recent Spamhaus attack as a perfect example of why DNS configuration should be a priority, if only to prevent the institution from becoming an unwitting accomplice to similar attacks in the future – and given the success of the last one, it’s only a matter of time before it happens again.
“These attacks may exploit thousands of institutional DNS servers to create an avalanche of network traffic aimed at a third-party victim. The traffic sourced by any single institutional system may be small enough to go unnoticed at the institution; however, the aggregate experienced at the target can be crippling,” the advisory explains.
“To put that in context, most universities and organizations connect to the Internet at 1 Gbps or less. In this incident not only was the intended victim crippled, Internet service providers and security service providers attempting to mitigate the attack were adversely affected.”
Related Reading: Now is the Time for Source Address Validation
The advisory goes on the list seven things that institutions can do to harden their DNS deployments, but it’s a list that can be used by any organization with a need to strengthen their own infrastructure.
First and foremost, the main piece of advice centers on limiting recursive resolvers, as “it is absolutely critical all university recursive resolvers are properly configured so they only answer queries for the local users they’re meant to be serving,” the advisory states. One way of doing this, the advisory says, by limiting access to the recursive resolvers to only the enterprise’s IP addresses.
Further advice includes rate limiting authoritative name servers, and using router ACLs so that queries from the outside can only go to permitted authoritative name servers. This “mitigates risk from various uncontrolled devices, such as Internet appliances that have an embedded DNS service.”
The full advisory, along with additional resources, is available online.
Related Reading: Now is the Time for Source Address Validation
Related Reading: Dutchman Arrested in Spain for ‘Biggest Ever’ Cyberattack
Related Reading: Cyberattack Capable of Downing Entire Internet Is Unlikely
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- Microsoft Will Pay $20M to Settle US Charges of Illegally Collecting Children’s Data
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
