F5 Blog

 
Archive Search Articles

DNS Security Risks for Service Providers in the Internet of Things

The Path to IoT

The Internet of Things (IoT) represents a large new business opportunity for service providers to develop new streams of revenue. For end users, IoT has the potential to provide solutions that can dramatically enhance productivity and the quality of daily life.

To enable communication between IoT devices and the network, IP addresses will need to be assigned to the devices, and the domain names where applications and services reside must be translated and resolved by DNS.

DNS infrastructure is relied on to provide access to the content and applications on the network. This requires DNS to be dynamic, intelligent, and secure—providing the appropriate address response to the subscriber based on network and application health and availability. Security is a critical component for end-to-end IoT services. IoT security is still largely undefined and therefore need to be designed and implemented from the start.

IoT Security Vulnerabilities

According to Gartner, there will be 20.8 billion connected devices worldwide by 2020. This large number of diverse devices connected to the network could become targets for distributed denial-of-service (DDoS) attacks and other threats, as IoT devices are often constrained in memory, storage, and compute resources. IPv6 network addressing for IoT devices and backwards compatibility with IPv4 applications is essential to support so many new devices. The requirement to handle millions or billions of DNS requests per second may impact network performance. It can also affect the availability of services and applications for many users.

In a February 2016 survey and subsequent report on The Future of Mobile Service Delivery, Jim Hodges, senior analyst of Heavy Reading, explains how service providers view the DNS domain as a key area of security vulnerability. The full challenges haven’t been fully understood, and service providers are still learning about IoT and next-generation 5G network security requirements. In the meantime, almost half of the survey respondents believe that DNS security threat levels are clearly on the rise.

Figure 1: DNS attacks are on the rise.

Service providers believe some types of DNS attacks are much more difficult to manage than others. The hands-down winner is volumetric attacks—the toughest to handle among volumetric, trickle, cache poisoning, and DNS tunnel vector attacks.

Figure 2: DNS attack types and the risk to the network.

In addition, DNS continues to be a target for DDoS attacks. When DNS goes down, applications will fail to function properly, affecting subscriber experience. It is now more critical than ever for operators to enable dynamic service delivery infrastructure for managing and securing the impending flood of DNS traffic.

IoT Solutions—Scale, Performance, and Security

Optimizing the DNS infrastructure

Service providers use DNS to enable subscriber access to critical services and applications. If DNS is unavailable, services won’t function properly, leading to network and service degradation or failures. To prevent these issues, service providers must optimize and secure the DNS infrastructure. However, such an infrastructure requires tremendous amounts of real-time management and stability. Thus, scaling DNS will be crucial when dealing with millions of service names and IP addresses in support of IoT.

As service providers scale their control planes, they also need to ensure the security of device, subscriber, and billing data, as well as the capacity to withstand DNS DDoS attacks, DNS amplification attacks, and DNS tunneling for circumventing service limits.

The need for a comprehensive solution

Because DNS infrastructure is designed to provide access to the content and applications on the network, service providers need to build a comprehensive security solution to protect their DNS infrastructure from DDoS attacks. The solution must be capable of handling tens of millions query responses per second (RPS) for attack mitigation, while providing the ability to inspect, validate, and control DNS through protocol validation and rate limiting. In addition, the DNS infrastructure requires monitoring, alerting, logging, and analytics to understand attacks—while distributing the load between synced DNS devices. Finally, it’s important to block access to malicious IP domains with filtering-based customization. For example, support for response policy zones (RPZs) allows customized handling of domain name information (zones).

Implementing DNS security

Service providers will need to implement a dynamic and intelligent DNS infrastructure, which can provide the correct address response for subscribers, based on the health and availability of networks and applications. Service providers must architect a scalable, intelligent DNS security infrastructure that gives mobile users faster access and service response. This includes carrier-grade hyperscale authoritative DNS as well as high-performance LDNS caching and resolving. Both must be protected with DNS firewall security services for mitigating DNS DDoS attacks. The firewall should also shield the DNS infrastructure from malicious attacks by infected subscribers, as well as undesired DNS queries and responses that reduce DNS and service performance. An intelligent DNS firewall will inspect and validate protocols while dropping invalid requests or refusing to accept unsolicited responses.

Conclusion

With millions of service names and IP addresses, along with growing IPv6 deployments, service providers must architect secure and agile networks that offer connectivity, security, and an optimal customer experience. This includes protecting the networks—from the device to DNS infrastructures and to the applications in data centers.

Learn more about scalable, high-performance security solutions that can help service providers mitigate sophisticated and emerging threats to devices, DNS, and L7 applications.