South Africa, domain names and brands: the advantage of a simultaneous registration

South Africa, domain names and brands: the advantage of a simultaneous registration

The domain name is to the virtual, what the brand is to the real. It is actually a little more complicated but this small sentence allows to associate brands and domain names.

It’s in the context of this shared vision, that the South African brands registration Office, CIPC has developed a partnership with the registry of .ZA, the South Africa geographic extension.

Thus, the brand applicants can choose the “domain name” option, registering that way the two protections. This is here the first collaboration I’ve seen between these kinds of registration office.

For more information, you can read the CIPC press release.

Note that a webinar is planned on Thursday January 25 2018.

A bad phishing story

A bad phishing story

A victim of phishing from 2015, asked her bank for a refund of 3300€, which was the amount diverted by a fraud author. However, during the legal procedure, the Justice has cancelled the judgement of the local court of October 2017, which has requested to the bank of the victim to refund the corresponding amounts of the phishing operation.

The reason of this cancellation? The victim has deliberately communicated some confidential data regarding her credit card, by falling into the trap of a phishing email (the scammer has posed as the telephone operator of the victim).

This cancellation argument argues that indeed, the mail didn’t have any recipient nor sender name and that the reject or unpaid mention was inexact. Also the victim could have prevented the trap set and not communicate her banking information. Therefore, it was her responsibility, which indeed cancels the request for the stolen money refund by the bank.

The majority of phishing websites use domain names associated to an existing activity or referring to an activity, with the aim to deceive users, by inviting them to click on the links of legitimate websites. It allows to increase the likelihood of the attackers’ success.

The phishing concept is to retrieve personal data on Internet via identity theft, adapted to digital support.

If it is true that fraudulent payment online is directly caused by the victim’s negligence, yet, she didn’t communicate neither her credit card confidential code, nor the 6 digit 3D SECURE code, which was sent to her by SMS to validate the payment. The victim has blocked her credit card the same day, after the reception of two 3D secure messages.

However, in this case, the bank affirms that regularly, it has raised its customers ‘awareness and communicated with them, in order to alert them of phishing risks and warn them to never communicate their confidential banking data.

Thus, the Court of Cassation has judged that the victim acted carelessly and could have prevented to fall into the trap of the fraudster.

Cyber threats heavily rely on web users’ bad practices, as the SANS Institute confirms. The threats the most frequently encountered in companies are phishing (72% of the respondents), spywares (50%) and ransomwares (49%).

According to the American company Webroot, about 1.385.000 unique phishing websites are created each month, with an impressive peak of 2.3 million during May 2017.

Be aware that these phishing websites stay active during a very short period: between 4 and 8 hours maximum, to prevent to be followed or blacklisted.

Of course, this case reminds that vigilance remains crucial more than ever!

A phishing attack more and more sophisticated

A phishing attack more and more sophisticated

Recently, some Amazon users have been the victims of a quite sophisticated phishing attack.

They received a fake e-mail from Amazon, alerting them that someone attempted to connect to their account by trying to change their password. A six digit code was transmitted with the instruction to call a number to verify the user’s identity. If the web users were not the source of these actions, they were invited to follow a specific procedure to secure their account. When they called the supposed Amazon number, they were directed to a Customers service department, located abroad. During the call, they had to go on a website and communicate the code to ensure the security of the account.

The copy of the phishing message:

A phishing attack more and more sophisticated

Fortunately, many web users have detected this phishing attack and didn’t fall into the trap. But for the others, were they victims of a malware or a data theft?

All web users are hit by these phishing attempts. They are part of our daily lives, but many brands raise awareness among their customers against these actions (mostly the banking industry which is the privileged target of hackers).

To be continued.

The blockchain at the service of domain names

The blockchain at the service of domain names
Photo’s author : Ethereum – Source : https://www.ethereum.org/assets

The case of Ethereum foundation and the «.ETH » extension.

Ethereum is a foundation created during 2015, by Vitalik Buterin, a 21 years old Canadian. This foundation aims to promote the Ethereum blockchain technology, created by this young computer engineer, who proposes in addition to a virtual currency, like the Bitcoin blockchain, the possibility to create applications ensuring traceability, inviolability and sustainability of the transactions they manage. To allow to the greatest number of people to access to these applications, the Ethereum foundation has recently presented the ENS for «Ethereum Name Service», and its corollary, the «.ETH» extension.

Back to the Blockchain technology

For the record, the concept of blockchain, can be defined as being « a technology of storage and transmission of information, transparent, secured and operating without a central review body » (source: https://blockchainfrance.net/decouvrir-la-blockchain/c-est-quoi-la-blockchain/).

Thus, if we take the example of the Bitcoin blockchain, the purpose was to create a virtual currency. The major interest consists in the absence of any central regulatory body, since it is controlled and managed by the community members, in a fully decentralized way. Any transaction done on the blockchain leads to an inscription in a block, published on a registry shared between the members. The transactions’ inscription in a block is carried out by « miners », who check, register and secure the transactions in the blockchain. This database hence lists all the transactions in blocks, creating a blocks chain supposed to be immutable and inviolable, due to the use of electronic signatures, and redistributed on the network, since it is decentralized.

Ethereum blockchain also has its currency, namely the Ether. But unlike Bitcoin, Ethereum didn’t create a virtual currency but has extended the use of the blockchain to other applications: the «smart contracts». Thus, Ether must not be considered as a currency but rather as a consumable allowing to exchange on the blockchain, use the applications it hosts.

The « smart contracts » concept

Ethereum proposes many possibilities of decentralized applications usable on its blockchain. These smart contracts are defined by the Blockchain France website as being « autonomous programs, which once started, automatically execute predefined conditions. They operate as any conditional instruction of « if – then » type (if such condition is verified, then such consequence is executed) ».

Concretely, this is a decentralized application, developed according to the Ethereum programming language (the Solidity), which automatically executes predefined instructions, on the conditions that the requirements are met, without the assistance of a third party, and ensuring that no modification is possible. These programs are executed on the Ethereum blockchain and controlled and certified by its members.

Thus, the promise is to delete intermediaries thanks to the total decentralization, managed by the processes automation.

For example, among possible applications, Ethereum foundation has announced on May 4th 2017, the creation of Ethereum Name Service, allowing domain names registration using «.ETH » extension.

Names’ registration in «.ETH »

The Ethereum Name Service, or ENS, corresponds to the Internet DNS, managed by ICANN, but unlike the latter, ENS is not based on root servers, but on the multitude of servers/machines, members of the Ethereum blockchain.

This is not a new registry having created another extension, but rather an alternative notion of the Internet.

Indeed, ENS is neither attached to the Global DNS, or to the IANA organization, nor to ICANN. ENS is a naming system specific to the Ethereum blockchain.

Domain name registration using «.ETH » is operating in a different way than classic domain name registration. This is a bidding system by anonymous deposit of a number of Ethers. In short, the name request opens a 72 hours period allowing other persons to bid. A second period of 48 hours then opens, during this period, each bidder must disclose their bid. The best bidder wins the name registration and is refund of their bid, minus the value corresponding to the difference of amounts between the two best bids. These funds are kept in a contract during 1 year minimum and can be removed at the end of this period, subject to release the name. If the name is the subject of one bid only, the bid’s winner is refund of the invested Ethers, except 0.01 Ether, corresponding to the minimum bid. This system should allow according to the ENS developers to prevent from speculation on domain names registration.

The system then doesn’t need an authority like ICANN, since the names ‘attribution is automated thanks to an IT program distributed and secured on the blockchain.

Nevertheless, if you type a domain name in «.ETH » in your browser search field, like Google Chrome, or Mozilla Firefox, an error page will be displayed. Indeed, the registered names in «.ETH » are not recognized by these browsers, since they aren’t part of the DNS network, they aren’t recognized as a domain name. Google Chrome extensions are proposed to create a bridge between the « web Ethereum » and the Internet that we know.

Hence, essentially, names currently registered in «.ETH » are only usable on the Ethereum blockchain, and therefore don’t affect the general public.

Lastly, the first use of ENS is, like the DNS, to allow the user to read and remember more easily an address by giving it a meaning. The DNS allows to translate an IP address in a legible address via the domain name.

Thus, ENS allows to translate an Ethereum user’s address (a user portfolio) of type «f14955b6f701a4bfd422dcc324cf1f4b5a466265 » in « myfirstname.eth ».

For example, when a user wishes to send Ether to another user, they only have to know their domain name and not their user address anymore. These domain names have a quite limited use, but may thereafter be used to access to future Ethereum applications.

The risks of the «.ETH » for brands owners

To this day, current web browsers don’t support these extensions, it seems that brands owners have no need to worry.

However, many French and international brands are « cybersquatted ». I.e. Ethereum users have won bids on brands names like « samsung.eth » or « volkswagen.eth ». They take over the name’s ownership for one year.

At the end of this first year of registration, the owners may release these names to retrieve the Ether stock associated to the name.

Risks should not be excluded in a near future if the «.ETH » are led to become more common and to offer interesting uses for the general public. Under this hypothesis, current web browsers could natively integrate «.ETH », in the same way as «.COM » or «.XYZ ».

Therefore, the owners of «.ETH » taking registered trademarks, for example may seek to benefit from this registration by using the reputation or identity of these protected brands, in order to divert the traffic to their own products or services. It may also be competitors seeking to tarnish their competitor’s brand image.

In the ICANN system, the rules enacted, in particular with UDRP procedures, propose to overcome these risks afterwards by allowing brands owners to try to recover a domain name using unjustly their brand. The restrictive nature of these rules, accepted and respected by registration offices, facilitates the application of the decision of Arbitration Center experts, and thus a domain name transfer to their rightful owner.

In the ENS system, there is no central authority which could enact these rules. Furthermore, domain names in «.ETH » have no real Whois file. To register such a domain name, they need to have Ethers and to create a portfolio. The identity is concealed behind a characters sequence, i.e. the digital impression of a cryptographic key. Therefore, it seems difficult to know the real identity of an owner in «.ETH ».

Furthermore, unlike the current system, it seems difficult to justify a territorial competence for «.ETH». The blockchain is not linked to any territory, it is distributed on all its members ‘machines, and thus all around the world.

The solution could eventually be developed by the Ethereum users themselves. It’s not to be excluded that an application is created in order to check the legitimacy of a domain name owner, on the basis of criteria defined in a program, like for example, the risk of confusion regarding a preexisting brand, and the good faith criteria in the use made of them. The constitution of a «popular jury » with voting materials would allow to decide on the issue as the result of a complaint from another member.

 

 

Disastrous consequences of a domain name non-renewal

Domain name - domain names renewal
Source of the image : SEO Link Building

The American telecommunication company, Sorenson Communication, has forgotten to renew a domain name for only a few days in June 2016. The decision has fallen at the end of September 2017, Sorenson Communication has to pay a fine of 3 million dollars. Why such a high amount?

The domain name which has fallen back into public domain was carrying a critical service for some users! It was the “Video Relay System” which telecommunication companies must provide to deaf people and persons with vocal disabilities, so they can make video calls and contact the 911 USA emergency number, by using sign language. Utah residents with these disabilities were unable to reach 911 for 3 days!

Sorenson Communication indeed realized rather late its omission and ended up renewing the domain name only 3 days later.

But this kind of omission can be easily prevented, thanks to the “automatic renewal” option for all your domain names portfolio. Your critical domain names, carrying services, website and/or mailboxes, will not be interrupted by a simple renewal omission.

On the fine of $3 million, 252 000$ are transferred to “The Federal Communication Commission” and $2.7 million to the company of “Telecommunications Relay Services Fund”, which has found a temporary solution to rent its bandwidth during these 3 sensitive days.

The continuation of the Equifax case or how the controls implemented in the context of an ISMS (ISO 27001) can help to prevent security incidents?

Cybersecurity - The continuation of the Equifax case

October 3rd, 2017, Equifax’s ex CEO, Rick Smith, had to explain to the American Congress how the private data of almost one out of two Americans could be hacked.

Let us briefly recall the chronology of events (for more information, we invite you to read Adriana Lecerf’s complete article):

  • March 9th, 2017: An Apache Struts flaw is detected. Less than a week after, the security patch is validated and planned, but the latter is not applied on all the servers.
  • March 15th, 2017: a scan is carried out but no vulnerability is detected.
  • April 2017: Hackers take advantage of this breach (the security patch which was not applied on all the servers) and steal the precious data.
  • July 31th, 2017: The ex CEO is informed of the information theft.
  • September 8th, 2017: Official communication on the hacking.

How can the ISO 27001 certification and the establishment of an associated ISMS (Information Security Management System) help to prevent this kind of incident?

The ISO 27001 standard is the reference regarding validation and constant improvement of an ISMS. It relies on 114 control points which scan all the domains for the establishment of an ISMS, including the implementation of procedures and the platforms update processes.

That includes the implementation and regular control of the risks management process aiming to ensure the data security. The main purpose of this management system is to carry out the appropriate measures in order to reduce, even eliminate threats impact on users or customers.

The ISMS is a wheel of constant improvement and in the case of Equifax, the processes of control established and tracked with an ISMS could have eventually helped to prevent this kind of incident.

This case demonstrates again the obligation to rethink the security strategy within companies and to implement necessary protocols to ensure the discovery of possible security flaws and the corrective action to apply.

Nameshield certified ISO 27001

The CAA becomes mandatory in the small SSL’s world

Or how to benefit from it to implement a certification strategy specific to your company?

The CAA becomes mandatory in the small SSL’s world

In January 2013, a new type of DNS Resource Record has appeared to improve the control chain in the SSL certificates issuing. This record, called CAA for Certificate Authority Authorization, allows to specify for a given domain name which Certification Authorities are authorized to issue certificates.

It’s an extremely interesting creation, in particular for big companies and groups, which technical teams are scattered in the World and for which it’s often difficult to require a global certification strategy. It’s not unusual for companies to accidentally discover the existence of certificates requested by teams not knowing the processes, by external consultants, issued by Certification Authorities with a bad image, or for certificates of low level of authentication (DV). The implementation of CAA record on your domain names is a good solution to control what the teams are doing and the news on SSL’s world will help you do that.

Indeed, if the CAA has been detailed in the RFC-6844 from 2013, it was not mandatory until today, for a Certification Authority to check if it was authorized or not to issue a certificate on a given domain name, hence a certain uselessness of this and a very low adoption.

September 8th, 2017 – The CAA checking becomes mandatory

We had to wait until March 2017, and a positive vote of the CAB/forum (ballot 187) to make this verification mandatory. Since the 8 September, the Certification Authorities have the duty to do this verification at the risk of sanctions from CAB/forum and browsers, the recent news regarding Google and Symantec has shown us how it’s not in their interests.

Three scenarios occur during this verification on a given domain name:

  • A CAA record is set and indicates the Certification Authority name, this one can issue the certificate.
  • A CAA record is set and indicates a Certification Authority’s name different, this one CANNOT issue the certificate.
  • No CAA record is set, any Certification Authority can issue a SSL certificate.

The CAA becomes mandatory in the small SSL’s world

It’s important to note that for a given domain name, many CAA records can be declared. A simple tool (among many others) to test your domain name, is available online: https://caatest.co.uk/

How to benefit from CAA for my company?

If it’s not already done, the establishment of the CAA checking is the opportunity for your company to define a certification strategy and to be able to ensure that it is complied with.

Define one (or multiple) Certification Authority corresponding to your values and to your expectations in term of service quality is a first step.

It will require to put around the table the marketing stakeholders to validate the impact on websites display and the technical services to ensure of the chosen provider’s quality. It will then be necessary to declare these CAA records in the different zones of your domain names.

It’s then important to communicate with all the operational staff so they become aware of the rules imposed within the company, in order not to block them in obtaining a certificate.

Indeed, Nameshield’s experience shows that SSL certificates are often requested in a hurry; moreover the browser’s last versions are not kind towards certificates’ errors by ostensibly displaying “not secure”. In consequence, blocking the issuing of a certificate because the communication didn’t get through can be damaging.

Such strategy presents real advantages in the control of certificates, in marketing, technical, risks control and costs associated to certificates. It’s necessary to conduct it with full knowledge and in order to do it, our SSL experts’ team can assist you.

Equifax victim of a massive cyberattack

Equifax victim of a massive cyberattack

The American company Equifax, based in Atlanta, present in 24 countries, has been the prey of a particularly worrying cyberattack.

Equifax collects and analyzes personal data of customers soliciting a credit. At the beginning of September, the company revealed an intrusion in its database.

This IT hacking could have potentially concerned around 143 million American customers and many others customers soliciting a credit like Canada or Great Britain. The criminals have exploited a breakdown in a web application between mid-May and July. They have obtained names, social security numbers, birthdates, addresses and some driving license numbers. These data theft is really worrying.

This information will facilitate identity fraud and account hacking. In the United States, the social security number is necessary to work, open a bank account or obtain a driving license and usually to rent an apartment. Some data might even be already on sale on the Dark Web (part of the Web non-indexed by general search engines).

This attack directly touches the heart of Equifax’s identity and activity. The company has implemented a website (www.equifaxsecurity2017.com) and a phone number at the disposal of their customers and a security company to evaluate the damages.

Equifax victim of a massive cyberattack
Equifaxsecurity2017.com website

All companies should see this attack like a warning. This example is indeed the proof that companies can have difficulty in seeing what is happening inside their own computer networks. New attacks, each day more sophisticated, go more and more unnoticed.

Moreover, Equifax affirms to have discovered the attack on July the 29th. However, the communication done to the customers comes only at the beginning of September: an abnormal delay regarding data protection this sensitive. Today, those data have vanished into thin air.

This large scale hacking is far from being the first one. Last year, the Yahoo group has announced that one billion accounts have been hacked, while other American companies have also been the victims of hacking, like the Adult Friend Finder website, or Target, the distribution group. The thieves didn’t access to social insurance numbers, or driving licensing though.

This attack comes only to strengthen the necessity for companies to consider in their security strategy all the flaws likely to serve as entrance to cybercriminals.

The 3 most common DNS attacks and how to defeat them

The 3 most common DNS attacks and how to defeat them

In October 2016, many popular websites like Amazon, Twitter, Netflix and Spotify have become unavailable to millions web users in the United Sates, during almost 10 hours, i.e. an eternity. The cause, one of the most powerful attacks of Internet history on Dyn’s DNS services, a major actor in this sector.

Other companies like Google, The New York Times and many banks have also been the victims of different kinds of attacks aiming at the DNS, the last few years, and if in many companies, the DNS stays forgotten, things are evolving towards awareness forced by these many attacks.

Attack #1: DNS cache poisoning and spoofing

The aim of DNS poisoning is to take web users towards a scam website. For example, a user enters gmail.com in their web browser with the objective to consult their mailbox. The DNS having been poisoned, it’s not the gmail.com page which is displayed but a scam page chosen by the criminal, in order, for example, to retrieve the email box accesses. The users entering the correct domain name, will not see that the website they’re visiting is not the right one but a scam one.

It creates a perfect opportunity for the cybercriminals to use phishing methods in order to steal information, either identification information or credit card information from unsuspicious victims. The attack can be destructive, depending on many factors, the attacker’s intention and the DNS poisoning impact.

How are the hackers making their strike? By exploiting the DNS cache system.

The DNS cache is used in all the web to accelerate the time charging and reduce the charges on DNS servers. The cache of a web document (web page, images) is used to reduce bandwidth consumption, the web server charge (tasks it carries out) or to improve the consultation speed of the browser use. A web cache keeps documents copies transiting through its way. Once a system requests to the DNS server and receives an answer, it records information in a local cache for a faster reference, in a given time, without having to search the information. The cache can answer to past requests based on its copies, without using the original web server.

This approach is used around the web in a regular way and in chain. The DNS server records are used to cache records on another DNS. This server is used to cache DNS records on network systems like rooters. These records are used to create caches on local machines.

DNS poisoning arrives when one of its caches is compromise.

For example, if a cache on a network rooter is compromised, then anyone who uses it can be misdirected towards a fraudulent website. The false records of DNS is branched to the DNS caches on the machine of each user.

This attack can also target the high links of the chain. For example, a major DNS server can be compromised. It can damage DNS servers’ caches managed by the Internet services providers. The “poison” can impact on the systems and peripheral networking of their customers, which allows to forward millions of persons towards fraudulent websites.

Does it seem crazy to you? In 2010, many American web users couldn’t access websites like Facebook and YouTube, because a DNS server of a high level internet services provider has accidently retrieved the records of the Chinese big firewall (Chinese Government blocked the accesses to these websites).

The antidote to this poison

The DNS cache poisoning is very difficult to detect. It can last until the TTL (time to live – validity time of a request in cache) expires on the cache data or an administrator realizes it and resolves the problem. Depending on the TTL duration, servers can take some days before resolving the problem by themselves.

The best methods to prevent an attack by DNS cache poisoning include the regular update of the program, the reduction of TTL times and the regular suppression of DNS caches of local machines and network systems.

For the registries that allow it, the implement of DNSSEC is the best solution in order to sign domain names’ zones on all the chain and make impossible a cache poisoning attack.

Attack #2: Attack by DNS amplification (of DDoS type)

Attacks by DNS amplification are not threats against DNS systems. Instead of this, they exploit the open nature of DNS services to reinforce the power of the attacks by distributed denial of services (DDoS). These attacks aren’t the lesser known, targeting for example well known websites like BBC, Microsoft, Sony…

Hold on and amplify

DDoS attacks generally occur with the help of a botnet. The attacker uses a network of computers infected by malwares to send mass traffic towards the target, like a server. The purpose is to surcharge the target and slow it or crash it.

Attacks by amplification add more power. Instead of directly sending traffic from a botnet to a victim, the botnet sends requests to other systems. These systems answer by sending more important traffic volume to the victim.

Attacks by DNS amplification are the perfect examples. The attackers use a botnet to send thousands of search requests to open DNS servers. The requests have a fake source address and are set up to maximize data quantity sent back by each DNS server.

The result: an attacker sends relatively restrained quantities of traffic from a botnet and generates traffic volumes proportionally superior or “amplified” of DNS servers. The amplified traffic is directed towards a victim which causes the system’s breakdown.

Detect and defend ourselves

Some firewalls can be set up to recognize and stop the DDoS attacks as they occur by deleting artificial packages trying to flood the systems on the network.

Another way to fight against these DDoS attacks consists in hosting your architecture on many servers. This way, if a server is surcharged, another one will always be available. If the attack is weak, the IP addresses of traffic sending can be blocked. Furthermore, a rise of the server’s bandwidth can allow it to absorb an attack.

Many dedicated solutions also exist, conceived exclusively to fight against DDoS attacks.

Attack #3: DDoS attack on DNS

DDoS attacks can be used against many systems types. It includes the DNS server. A successful DDoS attack against DNS server can cause a breakdown, which makes the users unable to surf the web. (Note: users are susceptible to continue to reach websites they have recently visited, by supposing that the DNS record is registered in a local cache.)

This is what happened to Dyn’s DNS services, as described at the beginning of this article. The DDoS attack has surcharged the DNS infrastructures that prevents millions of persons to access principal websites which domain names were hosted on.

How to defend yourself against these attacks? It all depends on your DNS configuration.

For example, do you host your DNS server? In this case, there exist measures that you can take to protect it, by updating the last patches and by only allowing local computers to access it.

Are you perhaps trying to reach the attacked DNS server? In this case, it will probably be hard for you to connect. That’s why, it’s wise to set up your systems to rely on more than one DNS server. This way, if the principal server doesn’t answer anymore, a backup server will be available.

Predict and reduce the attacks

DNS server attacks are a major risk of security for the network and have to be taken seriously. Companies, hosts and Internet services providers, implement backup measures to prevent and reduce the effects of this kind of attacks when they are the victims.

Following these attacks, ICANN has highlighted more strongly than ever the necessity to use the DNSSEC protocol to sign each DNS request with a certified signature, by ensuring that way the authenticity. This technology’s disadvantage is that it has to be implemented at every stages of DNS protocol in order to operate properly – which arrives slowly but surely.

Opt for hosted infrastructures and maintained by DNS experts. Make sure that the network is anycast (multiple points of presence distributed around the world or at least on your influence zones), beneficiates of anti-DDoS filter and offers you supplementary security solutions like DNSSEC but also failover, to integrate the DNS in your PCA and PRA.

Nameshield has its own DNS Premium infrastructure to answer to their customers’ needs. This infrastructure answers in particular to (even exceeds) all ANSSI prerequisites. The DNS Premium solution is integrated in the scope of our ISO 27001 certification.

Don’t hesitate to contact us for all questions regarding cyberattacks.

DNS – the big forgotten of Internet

DNS continues to be one of the most targeted Internet services, and it remains the Achilles heel of global Internet infrastructure. DNS was not only the most heavily abused protocol for reflection/amplification DDoS attacks this year, but an attack targeting a specific DNS provider was also the cause of the most widespread Internet outage of 2016 (Note: attack on the provider Dyn, which caused for about ten hours, the inaccessibility of a big part of Internet in the USA, particularly impacting Twitter, Ebay, Netflix, Amazon, Paypal… in October 2016).”

Arbor Network Infrastructure Security Report – June 2017

But what is the DNS?

DNS – the big forgotten of Internet

Because the human being is more apt to remember a name than a number, and because this is even more true for going on a website, between a domain name and an IP address, the human being, in order to simplify their life, have created the DNS: Domain Name System (or service).

For example: “I want to go on Google.com, my browser will ask the DNS what the IP address of the web server hosting google.com is, it will obtain it, then go on it and download the page.”

The DNS is a public database, decentralized and distributed, which associates domain names to IP addresses. It exists since 1985. It’s a part we can qualify as Internet infrastructure, essential to operate… and yet the DNS is invisible to the user.

The DNS has been massively adopted because it’s practical. It simplifies the user’s life and allows them to easily identify, differentiate, locate, memorize and transmit the domain name of a website associated to a brand. It has also been adopted on the other side of the mirror by its networks administrators to identify and differentiate servers, it is even more true with IPv6, with hosts multiplication and the arrival of the all connected. The DNS allows them, last but not least, to have the possibility to change servers and IP addresses in all transparency for the web user.

The DNS is omnipresent within the Internet. Everyone should be able to have access to it, if not, the Web would not operate anymore. This is what has happened in 2016 to our American compatriots, who had to do without Twitter or frenetically buying during almost 10 hours. The lost profit regarding revenue and impact on the brand image of the impacted companies have been significant.

But as it is invisible, everyone tends to forget it… and to realize it when it’s too late.

Strategic services relying on the DNS and the associated risks

Websites and email are two major services which systematically rely on DNS. Imagine that your website is unavailable for 1 minute, 10 minutes, 1 hour… and the consequences for your company, revenue, service discontinuity, image of the brand, customer’s loss. And what the consequences are for the absence of emails on this same period…

If these two services are the most potentially impacted, others can systematically rely on DNS:

VPN, VOIP, instant messenger… with the consequences smaller but equally regrettable for the operating of the company.

Attacks on DNS

Sadly, DNS servers are exposed to many potential attacks:

– Cache poisoning: make the DNS servers believe they receive a valid answer to their request while it is fraudulent. Once the DNS poisoned, the information in cache makes all the users vulnerable (send to a fake website).

Man in the middle: The attacker alters the DNS server(s) of the parts in order to redirect their communication to them without the parts realizing it.

DNS spoofing: redirect the web users without them knowing, towards hacked websites.

DDoS: DNS are more and more targeted by DDoS attacks, in order to saturate them and prevent them to ensure the resolution of the company’s key services.

And all these attacks have the same consequences: hijack or stop the companies ‘traffic.

The big forgotten

From the user’s point of view, the DNS doesn’t exist, they use the naming system of domain names to navigate and send emails, they have only one need: that it works.

From the company’s side, the problem is different, it is usually a lack of information, a lack of conscience of the DNS importance and the consequences of a service breakdown.

In most of the cases, companies do not really pay attention. They will use an important budget to register and manage domain names, to rise their visibility and protect their brands, but will not linger on DNS servers’ strength at their disposal from their provider.

The good practices to implement: having first rate DNS infrastructure

DNS the big forgotten - DNS availability time

First of all, consider whether your strategic domain names already beneficiate from a particular attention from the DNS infrastructure. Are called strategic, all domain names on which rely the key services traffic of the company: web sites, email, VPN, instant messenger…

To gain its own DNS infrastructure is a solution which presents advantages of flexibility and control, but the acquisition cost, management and maintaining on one side, complexity and necessary knowledge on the other, are often crippling or badly evaluated. It’s usually easier to go for an extern DNS infrastructure, managed by a registrar, host or specialized provider. It is then appropriate to check which availability annual rate is ensured and how it relies on the good practice for a maximum availability.

To ensure a high availability to your Internet services, it’s essential to choose a DNS solution highly available which offers:

– Necessarily functionalities to a DNS intensive use;

– A network of anycast type to reduce the DNS resolution time and ensure an optimal access time to your websites.

– A DNS infrastructure secured and staying available even in case of attack.

– Key functionalities like : GeoIP, Failover, Registry lock, DNSSEC, anti-DDoS smart filter

Conclusion

The DNS is not visible but is everywhere, it ensures the access to our key services thanks to the resolution of your strategic domain names, it is potentially exposed to many attacks with disastrous consequences and it lacks too often attention from companies. So.. Don’t forget about it and if necessary, talk about it with your Nameshield partner.