Study: A Year After Dyn Attack, Most Firms Are Still Vulnerable Against DNS Attacks

Infoblox, a network security company, and Dimensional Research, a technology market research firm, discovered that 86% of the DNS solutions deployed by the surveyed firms failed to alert of an occurring DNS attack. A third of the IT professionals also doubted their companies could protect against DNS attacks, such as the massive DDoS attack seen against Dyn, a DNS service provider.

Attack Against Dyn

Last year’s attack against Dyn took offline dozens of major websites, including Twitter, Netflix, Airbnb, Amazon, CNN, The New York Times, and more. This showed companies that the DNS attack vector should be taken more seriously. However, a year later, only 11% of companies have dedicated security teams managing DNS, which shows that DNS security is still not a high priority for the majority of firms.

"Our research reveals a gap in the market - while we found that DNS security is one of IT and security professionals' top three concerns, the vast majority of companies are ill-equipped to defend against DNS attacks," said David Gehringer, principal at Dimensional Research. "This is exacerbated by the fact that companies are extremely reactionary when it comes to DNS security, only prioritizing DNS defense once they have been attacked. Unless today's organizations begin moving to a proactive approach, DDoS attacks such as the one on DNS provider Dyn will become more pervasive,” he added.

Other Findings

The study by Infoblox and Dimensional Research also found that:

DNS attacks are highly effective. Three out of ten companies have been victims of DNS attacks. Of those that were attacked, 93% suffered a downtime for their services, and 40% had a downtime of over an hour, which impacted their business substantially.

Companies are slow to notice DNS attacks. More than two-thirds of companies said they have real-time monitoring for DNS attacks, but 86% of the solutions failed to alert of DNS attacks. Of those that experienced DNS attacks, 20% were first notified by customers, which means the business operation had already been impacted and the companies’ reputation suffered for it.

Most firms are vulnerable to at least one type of DNS attacks. Of the surveyed companies, 63% were not able to defend against all types of DNS attacks, which include: hijacking, exploits, cache poisoning, protocol anomalies, reflection, NXDomain, amplification attacks.

Majority of companies are reactionary. The study found that companies quickly change their focus to DNS security once they experience a DNS attack. Until then, their primary concern is protecting against viruses.

DNS attacks are costly. Almost a quarter (24%) of the companies that experienced a DNS attack lost over $100,000, and 54% lost over $50,000. When websites are down that results in lost revenue for the companies. Plus, significant resources are expended to solve a crisis that could have been prevented.

"Most organizations regard DNS as simply plumbing rather than critical infrastructure that requires active defense," said Cricket Liu, chief DNS architect at Infoblox. "Unfortunately, this survey confirms that, even on the anniversary of the enormous DDoS attack against Dyn—a dramatic object lesson in the effects of attacks on DNS infrastructure—most companies still neglect DNS security. Our approach to cybersecurity needs a fundamental shift: If we don't start giving DNS security the attention it deserves, DNS will remain one of our most vulnerable Internet systems, and we'll continue to see events like last year's attack,” he warned.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.