Network firm Infoblox thinks it has come up with a novel way to defend data centre DNS servers from DDoS attacks: combine the two functions in a single appliance.
The principle behind this new device, the Advanced DNS Protection appliance, is that DDoS attacks have become so complex and multi-faceted that general-purpose DDoS equipment including firewalls can struggle to protect a critical part of enterprise web infrastructure, the DNS server.
DNS servers are a tempting target for attackers of course – attacks are up 200 percent since 2012 Infoblox calculates - but it goes beyond simply making websites unreachable. DNS is also the fuel for other types of malevolence such as cache poisoning, malformed packets meant to crash servers and using DNS to tunnel out stolen data.
On top of this are unusual but no longer conceptual attacks such as the sneaky March DNS reflection attack on anti-spam outfit Spamhaus that caused chaos across public Internet providers far beyond the DNS layer itself.
The new DNS Protection appliance was able to quickly detect and drop rogue traffic that might otherwise overwhelm it, avoiding the need to limit all traffic, Infoblox said. The appliance could also receive regular ruleset updates to allow emerging attack types to be countered within days or weeks rather than months as at present.
Perhaps the most important rationale is simply that putting DNS and DDoS protection together would allow IT staff to monitor attacks on DNS infrastructure quickly and before the problems had reached a critical level. Currently, gaining visibility into attacks on DNS servers can be hard because the filtering capability is sited elsewhere.
It’s an argument for integration that fits with Infoblox’s grid architecture, which links appliances so that single points of failure are avoided.
“Security is better when it’s built in, not bolted on,” commented Infoblox vice president of product strategy, Steve Nye.
“By intelligently integrating security directly into a DNS appliance, Infoblox Advanced DNS Protection delivers a depth of defence against DNS attacks that is far more robust and insightful than relying on a jumble of separate devices and services.”
Interestingly, nobody else has yet come up with the idea of combining a DNS server with anti-DDoS mitigation so Infoblox counts as the pioneer of this approach. Higher-level services DDos mitigation services will block attacks targeting DNS but without offering enterprises the same visibility.
It’s a persuasive argument but do enterprises want to buy more appliances or consume security-as-a-service? If the latter turns out to be correct, longer-term the market for Infoblox’s DNS protection servers could be service providers themselves.
It's also quite innovative but Infoblox has made a name for itself by coming up with unexpected and slightly offbeat ways of conceptualising security problems. In September the firm announced Tapestry, an open source tool for measuring the usually abstract notion of network complexity on the assumption that this is now one of the main IT problems enterprises are grappling with.
Available from January 2014, pricing for the new appliance is on application.