Using TTL to mitigate the impact of DNS interruption

Stuart Fuller

There’s not a week goes by when we don’t hear of another attempted, or successful, cyber-attack. In the past few days, we’ve seen a UK bank admit that around 20,000 customers were affected by an intrusion over the weekend, which represents a new level in the cyber-attacks leveled at the financial sector.

This latest security breach comes just a couple of weeks after the Distributed Denial of Service (DDoS) attack on one of the major DNS networks that affected some of the world’s biggest brands. That success in interrupting the services of the likes of PayPal, Twitter and even Google sent a warning shot across the bows of every major CIO, CSO and CEO: relying on just one DNS network for the management of your critical digital assets is a risky strategy.

The worrying nature of the recent DNS infrastructure attack is that the source of the DDoS traffic came from the Internet of Things − connected devices that weren’t designed to communicate in such a way that were taken over and made to start bombarding the DNS network with packets of data after being infected with the Mirai virus.

With Internet traffic growing year on year, the concern for the forthcoming holiday season – when we have events like today, Chinese Singles Day, Black Friday (25th November) and Cyber Monday (28th November) − is that they too will be disrupted by cyber-security issues.

Organizations such as Neustar and Verisign offer premium DNS services that are designed to absorb and deflect huge amounts of rogue data whilst genuine website traffic is allowed to flow relatively freely. Such solutions are key for large organizations to ensure that their customers stay present, protected and prosperous.

In fact, Neustar recommends that global brands use a multi-cloud strategy that includes a backup DNS provider that will continue serving DNS records, ensuring uptime and availability should one be targeted with a sustained DDoS attack.

Unless web users know the actual IP address (and thus bypass the need to use a DNS server), any DDoS attack on a website server will affect its responsiveness. A secondary DNS network will mitigate some of the issues, but is there anything else a global brand can do to try and ensure any future DDoS attacks do not disrupt normal operations?

Another proactive measure Neustar recommends is adjusting the Time To Live (TTL) settings on the critical domain names. TTL is used to inform recursive DNS servers how long to cache an IP address relating to a specific domain name. In layman’s terms, it’s the amount of time in seconds that a cached copy of a webpage will be served to any user request before a new copy will be requested from the web server. The higher the TTL, the longer it is cached. As long as the DNS response is cached, end users will be able access a copy of the website, although some real-time interactions (such as online payments) will not be able to be completed.

There are trade-offs in setting a higher TTL though. Should a brand need to publish an alternative webpage during an attack, it will take significantly longer for web users to be served with that page. Likewise, higher value TTLs will affect the ability to failover or load balance DNS traffic, which is one of the key elements of DDoS mitigation.

Using a lower TTL will ensure the latest webpages are pushed to the recursive DNS servers quicker, but in the event of a DDoS attack, more users will be served with a ‘page not available’ message. However, once an incident is resolved, web users will see the normal webpage faster. A lower TTL value may also increase DNS usage charges, so it’s a fine balance as to what TTL to set.

The recent cyber-security events have brought home to all brands the importance of ensuring that the DNS infrastructure they use will provide the maximum balance between performance and security. The use of a secondary DNS network is a sensible additional measure that an organization can take, whilst changing the TTL can be used on a tactical basis to ensure the critical digital assets remain available if there’s an attack on the web or DNS servers.