DDoS Protection is a Community Effort
As scary and complex as these huge DDoS attacks might sound, it isn’t too difficult to prevent cyber attackers from misusing DNS servers. There are two things that can prevent DNS amplification attacks; however, the whole Internet community must do them together for success.
The first step is to close unnecessary open DNS resolvers. According to the Open Resolver Project (openresolverproject.org), there are approximately 27 million open DNS resolvers in the world today. If the organizations that manage these open resolvers would restrict them to only respond to internal queries, it would make it much more difficult for DDoS attackers to use those DNS server against victims on the Internet.
It isn’t difficult to secure and close DNS servers to external traffic. If DNS administrators restricted recursive DNS queries to their internal networks, it would do a lot to prevent attackers from using them in amplifications attacks. This is more of an awareness issue than a technical one.
The second step is to prevent spoofing on the Internet. There’s almost no reason someone in a network should be able to send traffic that looks like it comes from someone else. Firewalls, unified threat management appliances, routers, and other network gateway devices are almost always able to detect internal spoofing by recognizing when an internal address sends traffic that appears to be from a different network. If everyone on the Internet — especially service providers — would use this feature to block spoofing at the network level, then attackers would not be able to launch these debilitating types of attacks.
In short, those who don’t secure their own DNS resolvers are keeping others at risk. If you run an open DNS resolver or a network gateway device, follow the best practices outlined above to make it harder for the bad guys to misuse servers — it will make the Internet a safer place for both businesses and consumers.