If everyone is thinking the same, someone isn't thinking

Lori MacVittie

Subscribe to Lori MacVittie: eMailAlertsEmail Alerts
Get Lori MacVittie via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

F5 Friday: When the Solution to a Vulnerability is Vulnerable You Need a New Solution

#v11 Say hello to DNS Express


You may recall we recently expounded upon the need for the next generation of infrastructure to provide more protection of critical DNS services. This is particularly important given recent research on behalf of Versign that found “60% of respondents rely on their websites for at least 25% of their annual revenue.” Combined with findings that DDoS attacks, DNS failures and attackers comprised 65% of unplanned downtime in the past year, the financial impact on organizations is staggering. 

We also described the most popular solution today, DNS caching, and mentioned that it turns out this solution is itself vulnerable to attack. DNS caching can be defeated by simply requesting non-existent resources. This is not peculiar to DNS, by the way, but rather to caching and the way it works. Caching is designed as a proxy for content; content that is always obtained from the originating server. Thus if you request a resource that does not exist in the cache, it must in turn query the originating server to retrieve it. If you start randomly creating host names you know don’t exist to lookup, you can quickly overwhelm the originating server (and potentially the cache) and voila! Successful DDoS.

Like an increasing number of modern attacks, this vulnerability is no one’s fault per se; it’s an exploitation of the protocol’s assumptions and designed behavior. But as has been noted before, expected behavior is not necessarily acceptable behavior. For IT, that only matters forasmuch as it aids in finding a more secure, i.e. non-vulnerable, solution.


BIG-IP v11 introduced DNS Express pdf-icon, comprising several new capabilities that provide comprehensive DNS protection and addresses just this vulnerability as part of its overall features designed to maintain availability for critical DNS services.


DNS Express is a new DNS service available in BIG-IP v11 that implements an authoritative in-memory DNS service capable of storing tens of millions of records. This caching-style solution is enhanced by the CMP (Clustered Multi-Processing) pdf-icon enabled TMOS platform, which allows BIG-IP Global Traffic Manager (GTM) to respond to hundreds of thousands of queries per second (millions per second on the VIPRION hardware platforms). Rounding out this strategic trifecta of DNS goodness is IP Anycast integration, which has the result of obfuscating the number and topological attributes of DNS servers while simultaneously distributing load. This is an important facet as attackers often target DNS servers one by one, and without the ability to determine how many servers may be present attackers must make a choice whether to forge ahead – possibility wasting their valuable time – or concede defeat themselves.

A DNS infrastructure based on DNS Express allows customers to leverage the ability of BIG-IP to withstand even the most persistent DDoS load by enacting a zone transfer from a DNS pool to BIG-IP GTM, which subsequently acts as a high-speed authoritative slave DNS service.  It is an architectural solution that is fairly non-disruptive to existing architecture and by leveraging core TMOS features such as iRules, adds control and flexibility in designing solutions specifically for a data center’s unique needs and business requirements.

This solution realizes the benefits of a DNS-caching solution while mitigating the risk an attacker will exploit the behavior of caching solutions with a barrage of randomly generated host name requests.

Happy Safe Resolving!

Connect with Lori: Connect with F5:
o_linkedin[1] google  o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

AddThis Feed Button Bookmark and Share

Related blogs & articles:

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.