Assistant Engineer
Assistant Engineer
  • UID634
  • Fans0
  • Follows0
  • Posts44

How to protect DNS - the heart of internet

More Posted time:Dec 9, 2016 15:50 PM
How to protect DNS - the heart of internet
Dyn, a US-based DNS service provider, suffered massive DDoS attacks at 19:11 on Oct 21, 2016, Beijing time, leading to the service suspension of many websites and access failures to a majority of US-based websites including Twitter, Spotify, Netflix, Airbnb, GitHub, Reddit and New York Times.
The red spots are regions with no access to the internet.

Many people may question why such an obscure DNS can have such wide influence? According to Wu Hanqing, chief security commentator of Alibaba Cloud, DNS is the heart of the internet, and also the security short slab of many enterprises. This DNS-caused paralysis didn't affect China, but it sounded the alarm for all enterprises to pay attention to security. Just image, what happens if a man has something wrong with his heart? Today let's talk about how to safeguard the “health” of DNS.
What is DNS?
Dyn, suited in Manchester, New Hampshire, the US, is a major domain name server (DNS) provider in the country. The domain name is the starting point and entry for netizens to visit the internet and also the basis of global internet communications. DNS, as a system ensuring the normal usage of hundreds of millions domain names in the world, is important infrastructure of the internet.
Who is to blame?
The large-scale network paralysis is a result of the DDoS attacks to Dyn servers. DDoS stands for Distributed Denial of Service. The most basic DDoS attacks refer to that the hackers utilize reasonable service requests to occupy as many service resources as possible, resulting in no service response to the users' requests. When the Dyn was under DDoS attacks, the DNS query requests of many netizens failed to be completed, and users could not visit Twitter, GitHub and other websites through the domain name as a result.
How far is DNS-caused network paralysis from us?
Such “tragedies” are not exclusive to the US. There have been many DNS-caused internet failures in China. The most severe DNS fault in the Chinese mainland happened on January 21, 2014. All the generic top-level domains (.com/.net/.org) suffered DNS cache poisoning. All the domain names pointed to an IP address ( in the US. Some websites reported that: At present, the domestic hacking attacks have formed an industrial chain. The internet is full of attacking tools and trojans, providing convenience for attackers. Some hackers even put a clear price on their services. For example, 1GB of traffic to a website for one hour is priced at only 50 yuan on the internet. After the hackers master some kinds of attacking “weapons”, they may be driven by the benefits, or become actively hired to attack some high-profit industries, such as the finance and gaming industries.
The security risk is approaching the internet of all?
According to foreign media, the zombie networks targeting IoT devices may be an important source of this DDoS attack. The chief security officers of Level 3 Communications, a backbone internet service provider, said around 10% of Mirai-infected devices participated in this DDoS attack. With the internet of all, Wu Hanqing holds that the Internet of Things will definitely invoke a lot of security issues. While the just-over “Black Friday” only miniatures the future security issues. At present, there are around 600,000 zombie or trojan-injected IoT devices in the internet. If these devices wage attacks together, they can easily initiate a nearly 1T of traffic flood attack (equivalent to the traffic of a province in China). “Generally, companies are not capable of combating against the attackers any more,” said Wu Hanqing.
How to avoid CDN-caused network paralysis
Dyn of the United States provides users with DNS hosting and parsing services, as one of the internet infrastructure. The impact of DNS attacks is very large. In China, Alibaba Cloud also provides DNS hosting services for users.
Alibaba Cloud integrates Alibaba Cloud DNS into the high-defense services and improves the parsing capability of DNS utilizing the elastic extension features of cloud computing. It also establishes a full-chain security system between network access and website access. The peak defense capability of Alibaba Cloud DNS cluster is: 300G+, 500 million QPS. At the same time, Alibaba Cloud deploys seven major BGP (Border Gateway Protocol) rooms around the world, with the access data going effective within seconds, meeting the access needs of users in different regions around the world.
Alibaba Cloud: World-class security service
Every day, Alibaba Cloud helps 37% of websites in the Chinese mainland to defend against 800 million attacks successfully. Every day, Alibaba Cloud identifies and defends against attacks from 35,000 malicious IP addresses, defends against 2,000 DDoS attacks, 200 million brute force password-cracking attacks and 20 million web attacks. In the just-concluded 2016 G20 summit in Hangzhou, Alibaba Cloud provided a large number of professional security and Managed Security Services to protect stable operation and news transmission of the G20 official website and government and civilian websites in Zhejiang province. In specific, Alibaba Cloud Security Anti-DDoS system successfully defended against nearly 30,000 DDoS attacks, with the peak value reaching 439.7 Gbps; The web application firewall successfully defended against more than 100 million attacks during the G20 summit, including SQL injection, XSS attacks, and code execution among other malicious attacks.
[Cloudy edited the post at Dec 26, 2018 17:42 PM]