Academic institutions urged to improve network and DNS configurations

The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) has issued an alert to IT security staff, and network and DNS administrators urging them to improve their network and DNS configurations to prevent their institution from being an unwitting partner in DoS attacks.

“These attacks may exploit thousands of institutional DNS servers to create an avalanche of network traffic aimed at a third-party victim. The traffic sourced by any single institutional system may be small enough to go unnoticed at the institution; however, the aggregate experienced at the target can be crippling,” writes Doug Pearson, Technical Director at REN-ISAC.

“A recent attack generated over 300 gigabits per second of traffic aimed at the victim organization. To put that in context, most universities and organizations connect to the Internet at 1 Gbps or less. In this incident not only was the intended victim crippled, Internet service providers and security service providers attempting to mitigate the attack were adversely affected. Given history and the success of recent attacks, we expect that attacks will rise in frequency and magnitude in the months ahead.”

The alert includes a series of recommended steps for the administrators to take, as well as a number of related good practices.

“Open recursive resolvers, authoritative DNS severs (especially when zones are DNSSEC signed), and networks that do not prevent source address spoofing create an environment on the Internet where DNS amplification DDoS attacks of great magnitude can be achieved,” he pointed out.

“Too many higher education institutions contribute to this known and avoidable problem.”