On February 21st, the Internet Coportation for Assigned Names and Numbers (ICANN) announced that there is an ongoing pattern of attacks on the internets own DNS infrastructure. On February 15th In response to other recent attacks attacks, ICANN released a list of defensive ways to protect yourself against these attacks:
Ensure all system security patches have been reviewed and have been applied;
Review log files for unauthorized access to systems, especially administrator access;
Review internal controls over administrator (“root”) access;
Verify integrity of every DNS record, and the change history of those records;
Enforce sufficient password complexity, especially length of password;
Ensure that passwords are not shared with other users;
Ensure that passwords are never stored or transmitted in clear text;
Enforce regular and periodic password changes;
Enforce a password lockout policy;
Ensure that DNS zone records are DNSSEC signed and your DNS resolvers are performing DNSSEC validation;
Ideally ensure multi-factor authentication is enabled to all systems, especially for administrator access; and
Ideally ensure your email domain has a DMARC policy with SPF and/or DKIM and that you enforce such policies provided by other domains on your email system.
In another report made from krebsonsecurity, there is a large number of attacks that are targeting DNS. One such type of attack is when changes are made that replaces addresses of DNS servers with that of designated addresses made from attackers. This attack only works if DNSSEC is not being used. These attacks follow similar attacks reported in January.
*What DNSSEC is is that its a technique developed that digitally signs data. This helps protect against forged and other corrupted DNS data ensuring integrity and authentication.
As of reports made in September, only 3% of Fortune 1,000 companies are using DNSSEC. These attacks along with recommendations from security professionals will hopefully push companies to implemend DNSSEC. If nothing happens, these attacks will continue and they will only be getting worse and more costly the longer companies wait to migrate to DNSSEC.