The Domain Name System (DNS) is a distributed Internet content service, and primarily realizes the mutual resolution between domain names and IP addresses. Most Internet services rely on the DNS. Therefore, if the DNS is faulty, the addressing on the network fails; consequently, services are severely affected.
Several incidents resulting from DNS attacks in 2009 did great harm to networks, especially the Storm DNS event, which led to network access failures among numerous users in the six provinces in east China; additionally, the Baidu DNS event also brought huge economic loss. How to defend against DNS attacks becomes an urgent security issue for users in various industries. Moreover, how to secure DNSs and deliver DNS protection services is also a challenge for carriers.
Solution Overview
There are primarily three types of DNS attacks, namely, DNS flood, DNS cache poisoning, and DNS hijacking.
In DNS flood, massive domain name resolution requests are sent to the target server; but the domain names to be resolved are invalid. Therefore, resolution timeout occurs during this process due to the excessive requests. For DNS cache poisoning, an illegitimate domain name address is sent to the target DNS server. If the server accepts the illegitimate address, the cache is attacked. Worse still, subsequent replies responded to the domain name requests are under the hacker's control; the browsers and mail servers automatically direct to the illegitimate addresses specified by the DNS server. DNS hijacking includes host file modification, SPI chain injection, and BHO plug-in. Although not all these are implemented during DNS processing, users may fail to obtain the correct addresses or content due to these factors.
Based on years' experience in DNS protection and profound understanding of user demands, Huawei launches a comprehensive DNS protection solution by integrating DDoS defense and UTM features.
In this solution, the anti-DDoS device defends against DNS flood and DNS cache poisoning through source IP address authentication, attack fingerprint learning, and traffic dynamic baseline. Meanwhile, the UTM device divides the DNS into external area and internal area, which effectively promotes the security and reliability of the DNS server. Moreover, the IPS function of the UTM device detects the vulnerabilities of DNS protocols to defend against intrusion into the DNS.
Solution Features Hierarchical defense
To defend against various DDoS attacks on the DNS, Huawei DNS protection solution adopts hierarchical defense technologies and implement filtering layer by layer, ensuring that all traffic reaching the DNS is normal service traffic.
High-performance hardware platform
Huawei UTM device adopts carrier-class hardware platform and multi-core processing system, and delivers high-performance functions with sound reliability, including firewall and IPS. These features perfectly satisfy the requirements of the DNS on diversified performance indicators such as network throughput.
Huawei anti-DDoS device provides users with 2G to 80G anti-DDoS performance, realizing efficient and effective DDoS defense in different networking environments for various users.
Easy-to-use management operation system
Huawei DNS protection solution equips users with easy-to-use management operation system, including graphic device and policy configuration interface. In addition, it also provides customized attack and performance reports for users.
Furthermore, Huawei DNS protection solution can serve as a platform for value-added security operation services, which enables differentiated defense policies for DNSs and realizes individualized value-added security services.
Huawei UTM device adopts carrier-class hardware platform and multi-core processing system, and delivers high-performance functions with sound reliability, including firewall and IPS. These features perfectly satisfy the requirements of the DNS on diversified performance indicators such as network throughput.
Huawei anti-DDoS device provides users with 2G to 80G anti-DDoS performance, realizing efficient and effective DDoS defense in different networking environments for various users.
Easy-to-use management operation system
Huawei DNS protection solution equips users with easy-to-use management operation system, including graphic device and policy configuration interface. In addition, it also provides customized attack and performance reports for users.
Furthermore, Huawei DNS protection solution can serve as a platform for value-added security operation services, which enables differentiated defense policies for DNSs and realizes individualized value-added security services.
No comments:
Post a Comment