IPv6 Shows a Pulse

15Jun11

On World IPv6 Day IPv6 showed a pulse! However faint that global pulse may have been, our network showed at least some form of IPv6-life occurred on that day.

Long supporters of IPv6, with a significant global DNS footprint handling extremely large volumes of global traffic we, at CommunityDNS, were curious on what may result through an organized focus on the use of IPv6. In my earlier CircleID posting titled, “‘Capacity’ – The Hidden Word” I mentioned our network, at that time, supported over 20Gb per second of traffic inbound and 50Gb per second of traffic outbound on an average day. Since then the amount of average traffic supported has grown.

With World IPv6 Day bringing an organized focus to IPv6 we were curious to see what affects such visibility would have on usage.

First of all, IPv6, while supported on our network, represents a very small fraction of traffic handled by our network. There were several things we were looking for as a result of this focused effort.

1). How much of an increase might we see in IPv6-based traffic?
2). Would any increase due to the event become sustained or would IPv6 traffic levels drop back down?

Being that the focus of World IPv6 Day represented a single 24 hour period, the Internet and content span all time zones, thus we were curious as to the impact this event would have not only on the actual day, but also the day before and the day after; as far as increased activity. We also wanted to examine IPv6-based traffic over an eight day period to look for any trends which might indicate sustained traffic as a result of the event.

The following graph illustrates the results of IPv6 traffic across our network for an eight day period.

IPv6 Traffic on CommunityDNS before, during and after World IPv6 Day.

While there was a brief increase in IPv6 traffic on World IPv6 Day, we still saw only a peak of just over .2 of 1%, representing an increase of .026 of 1%. Sadly the bump in IPv6 usage was not sustained. While it is a start, it is only a faint pulse at best; a pulse which will only be forced to get stronger as people and organizations begin to experience the limitations of not yet adopting IPv6.

As a native-IPv6 and native-IPv4 we look forward to increased adoption and usage of IPv6.


Filed under: Anycast, CDNS, CommunityDNS, DNS, IPv4, IPv6   |  Leave a Comment
Tags: , , , , ,

CommunityDNS Supports World IPv6 Day!

08Jun11

Today is “World IPv6 Day”.  Having integrated IPv6 in the initial design of CommunityDNS‘ initial platform design we understand the value IPv6 brings to users of the Internet.  Not only will this allow for needed expansion, it serves to ensure new applications and new users to the Internet will all have a place at this global digital table.

Organizations such as Google, Facebook and Yahoo! will be serving up content in IPv6 for a 24 hour period in hope of shedding light on IPv6.  Sponsored by the Internet Society, the goal is to help organizations see the importance of IPv6 and to begin making the move towards IPv6 compliance.

Because of CommunityDNS’ strong belief in the adoption of IPv6, and being native-IPv6 compliant, we support the efforts put forth by World IPv6 Day.


Filed under: Anycast, Capacity, CDNS, Communications Infrastructure, Community DNS, CommunityDNS, DNS, IPv4, IPv6, IT, Security   |  Leave a Comment
Tags: , , , , , , , , , ,

CommunityDNS signs .SH!

10May11

CommunityDNS has signed the ccTLD, .SH with DNSSEC.

“We are pleased to move this security initiative forward!” states Paul Kane, CEO of CommunityDNS.

Having already signed the ccTLD for .TM in the original batch of signed TLDs added to the ROOT, “Continuing the process with .SH was the next logical step. It is important for users of .SH names to take advantage of the latest in DNS security,” says Kane.

Aside from the additional security enjoyed by name holders, each registrant is able to sign their zones on their schedule while allowing the registrant to upload their keys in real time.

To learn more about DNSSEC you may wish to visit CommunityDNS’ information on DNSSEC.


Filed under: ccTLD, CDNS, Community DNS, Cybersecurity, DNS, DNSSec, Security   |  Leave a Comment
Tags: , , , , , , ,

Responsibilities of the DNS: “Oh YES you will!”, “Oh NO you will not!”

09May11

What is the responsibility of the DNS? Should the DNS be responsible for policing traffic across its infrastructure? Should the blocking and blacklisting of names or throttling of query packets be the responsibility of the DNS?

From experience I know my opening paragraph has started passionate debates in more than one section of this globe. We at CommunityDNS have found ourselves right in the middle of such heated debates. “Oh YES you will!”, “Oh NO you will not!

In keeping up with efforts of various governments around the globe we have seen the rise and disappearance of such “legal” debates on what the Internet, or what those at its endpoints should do to protect users within respective governmental jurisdictions. Again, “Oh YES you will!”, “Oh NO you will not!” Even when seeking input from organizations forming the Internet’s substructure within the same jurisdictional borders, we can still receive “Oh YES you will!”, “Oh NO you will not!”. So the debate continues.

While the Internet continuously proves its amazing value, it is a legal quagmire on what laws can be passed when the Internet extends beyond legal jurisdictions. It also provides for continuous debate on the question regarding its technical “responsibilities” to the end user.

What is the DNS? In my mind the Domain Name System was best described as being the “address book of the Internet”. Since “most” humans find names easier to remember they rely on the DNS to translate language-based Internet destinations (or URLs) into a destination server’s IP address.

One thing is clear, however, the malicious community is intelligent, well organized and well funded. Their efforts have impacted national and regional online economies as well as individual businesses and the end user.

So what is the responsibility of the DNS?

The U.S. National Security Agency (NSA), according to their site says they are “home to America’s code makers and code breakers”. Some also know the agency for developing and utilizing advanced technology in areas of communications monitoring. Having also worked with start-up technology companies, I have come to know the NSA as an organization helping technology-based companies bring advanced technologies to the market place. In April the NSA released a document on “Best Practices for Keeping Your Home Network Secure”.  Having been an IT manager as well as provided for large-scale network deployments I can say the basic concepts of the NSA’s report not only speaks to common sense, the basic concepts can apply to an organization’s IT infrastructure.

One of the “best-practice” items mentioned by the NSA is to, “Implement an Alternate DNS Provider as they [referring to a user's ISP] typically don’t provide enhanced security services such as the blocking and blacklisting of dangerous and infected web sites.” CommunityDNS has this capability, but again our customers have tended to argue for the purity of the DNS’ original function.

With that said the malicious community has continued to push the envelope about what role the DNS should take in protecting users from the tactics of the hacker. While the malicious community feasted on innocent users by redirecting them to malicious sites for purposes of malicious intent, (a process known as “cache poisoning”) the DNS community came together and, over a long period of time, developed the specifications for DNSSEC (DNS SECurity). While not the magic cure-all that will shut down the malicious community, DNSSEC was designed with the idea of providing the end user with the assurance of reaching their intended destination and not a malicious imposter. While DNSSEC may be only one small piece of the security puzzle, it is an example of how the DNS community came together to provide a level of security within the DNS to prevent cache poisoning. In the interest of helping move this effort forward have helped multiple ccTLDs sign their zones as well as support customers who have already signed their zones with DNSSEC. While progress in this area is being made, there is still a ways to go for registries and name holders to understand and “sign” their respective zones.

But what about the other large, and growing threat of DoS or DDoS attacks? DoS (Denial of Service) or DDoS (Distributed Denial of Service) attacks are techniques the malicious community can use to render specific sites, or even DNS providers inoperable.

Through the article titled, “Ensuring Maximum Resilience to the DNS” we have seen through reports how organizations have experienced more than 350,000 DDoS attacks in 2009 and 3% of the Internet’s traffic tied to DDoS through roughly 1,300 attacks each day. The article also points out how such attacks have actually impacted DNS operations of specific DNS providers whose platforms failed under such levels of traffic.

With all that said it does not surprise me that last year’s Pan European cyber security exercise focused heavily on DDoS attacks. In 2006 the IETF touched upon this topic through RFC 4732. While the RFC discusses this phenomenon and its effects, it also provides suggestions regarding various network components, but nothing specific for the DNS.

With the shear volume of traffic handled for our customers, we see various styles and sizes of such attacks occurring daily, though most small in nature. From CommunityDNS’ perspective we have taken multiple approaches towards mitigating the affects of DoS/DDoS attacks. Aside from using Anycast technology and other special capabilities within each of our nodes, our most effective defense is how the platform was designed to provide for large amounts of capacity, as noted last August when our node in Hong Kong handled a sustained traffic spike by comfortably processing over 863,000 queries per second. Even with a platform designed to handle vast amounts of capacity, we still find it doesn’t necessarily assist clients who may be targeted with a DDoS attack.

Even with client’s who are specifically targeted for DDoS attacks we find our clients are very responsive in efficiently working through such attacks, however we are finding such effective partnerships can still be improved to minimize affects of such targeted attacks. Is it OK for our customers’ service to be completely taken down until the issue has been worked through or shall we take a more proactive approach to minimize impacts as attacks start to unfold? We have taken this approach in applying throttles based upon traffic patterns at the individual node level. These node level throttles are established high enough to allow for normal increased traffic, but will step in if a site is targeted for take-down. Also on the proactive approach our monitoring platform provides our customers with a view in how much of their traffic may be associated with such attacks, whether large or small and whether the traffic is IPv4 or IPv6-based.

So as the debate rages on with “Oh YES you will!” and “Oh NO you will not!” we feel partnering with the customer in providing them with tools and proactive service helps customers provide resilience for users, businesses, countries and their various online-economies.

Do we agree with the NSA’s best-practice of implementing an alternate DNS provider? Absolutely! As a secondary authoritative service we have always advocated utilizing multiple DNS providers for purposes of diversity.
   •  Diversity of network providers.
   •  Diversity of platform software.
   •  Diversity of platform hardware.
   •  Diversity among open source and non-open source platforms.

Along with our recommended approach to maximum resilience through diversity and capacity, it is also important to view what tools are available at mitigating attacks from the malicious community. The “Oh YES you will!” and “Oh NO you will not!” will always provide for a passionate discussion.


Filed under: Anycast, CDNS, Community DNS, CommunityDNS, Cyber defense, Cybercrime, Cybersecurity, DDoS, Denial of Service Attacks, Distributed Denial of Services, DNS, DNS Resilience, DNSSec, DoS, IPv6, ISP, Organized Cybercrime, Security   |  Leave a Comment
Tags: , , , , , , , , , , , , , , , ,

IPv6 usage sees growth, but slow

03Mar11

With the final blocks of IPv4 addresses distributed, IPv6 traffic has been increasing, but at a much slower pace than expected.  Currently accounting for 1/400th of all traffic across CommunityDNS’ network, the adoption of IPv6 clearly has a long way to go.

On February 3, 2011, the last block of IPv4 addresses were handed out to each of the Regional Internet Registries (RIR).  Once all of the IPv4 addresses have been used all new destinations on the Internet will be assigned an IPv6 Internet address, the newest version of IP addressing.  Why is this important?

IPv6 is a big deal and here is why.

1). Not backwards compatible: IPv6 is not backwards compatible, therefore hardware platforms (i.e., computers, routers, Internet appliances, even down to IP-allowed point-of-sale devices) will not be allowed to access newer applications which will only be available with IPv6.

2). Online Economies: In 2008 E-commerce spending worldwide equaled $6.8 trillion dollars, representing approximately 15% of the global GDP (Gross Domestic Product).  In the UK alone, a recent study revealed the Internet accounts for 7.2% of the country’s GDP.  With new applications based only on IPv6, access to new applications and services may be hampered, thus limiting online economic growth potential.

IPv4
First developed in 1978 and deployed in 1981, IPv4 (Internet Protocol version 4) provided a means by which each networked device could be connected to the Internet with its own, unique IPv4 address.  Developed to support 4.3 billion connected devices (4,294,967,296 to be exact) visionaries believed IPv4 would provide an ample amount of addresses for any device connected on the Internet.  Innovative ideas over the last 15 years have far exceeded the imagination of the Internet’s original visionaries.

IPv6
Development for IPv6 was started in 1993 with the new addresses becoming available in 1999.

While IPv4 supports 4,294,967,296 unique end devices, IPv6 was developed to support 340,282,366,920,938,463,463,374,607,431,768,211,456 unique devices.

Why this is a big concern
For those who already have IPv4 addresses there should be no problem, right?  They already have their address and can connect to the Internet, so nothing to be concerned about, right?

Wrong.  As mentioned earlier, IPv6 is not backwards compatible.  Devices and networks which only recognize IPv4 will not be able to recognize or access devices or applications which are based only on IPv6 addresses.  New IPv6-based applications or content will only be for those devices and networks which recognize IPv6 addresses.

Getting back to the economic factor, we learned at the beginning of this story, in 2008 E-commerce spending worldwide equaled $6.8 trillion dollars, representing approximately 15% of the world’s GDP.  Also, recent study by Google says, the UK is the world’s leading nation for e-commerce.  Currently for every £1 spent online to import goods, £2.80 is exported thus creating a healthy online economic factor in the UK’s overall economy.  The study further points out that for the UK the Internet accounts for 7.2% of the country’s GDP; with growth poised for 10% annually.

Where computers, routers, networks, network providers, point-of-sale devices, appliances, smart grids, servers and applications, to name a few, are not able to support IPv6, their services can only hinder online economic growth.

So yes, migrating to IPv6 is important.

What can be done?
Start using IPv6!  There are organizations who can support IPv6 yet their DNS zones haven’t been updated to reflect IPv6 information.

For those who have not yet implemented IPv6, or have not yet updated their zone files to reflect IPv6, the question is why?  Is there an identified risk in not adding IPv6 information to zones?  If there are identified risks, what are they and how are the risks being mitigated?

Looking forward
It is because of understanding the importance of supporting IPv6 for the economic health and survivability of customers and economies, CommunityDNS’ global Anycast DNS platform became completely IPv6 compliant as soon as the first IPv6 addresses were available in 1999.

It is this level of leadership and of thoroughly understanding the importance of such developments that CommunityDNS strives for excellence in DNS resilience.  As leaders in the early adoption of IPv6, CommunityDNS remains fully capable of resolving all of the world’s queries using the network engineered for security, optimized for speed and designed for resilience.


Filed under: Uncategorized   |  Leave a Comment

2010 Year in Review

11Jan11

2010 was a busy year for the Internet in general and was a wonderfully busy year for CommunityDNS.  As 2011 begins we can’t help but reflect on the various milestones reached within the CommunityDNS family.

Along with the Internet’s two major developments, being DNSSEC and IDNs, other items of note for 2010 include DNS Resilience, Community Growth as well as that seemingly hidden word, “Capacity”.

DNSSEC:
Short for DNS SECurity, DNSSEC is a necessary step forward in the Internet’s evolution.  While still much work needs to be done in this area, CommunityDNS is pleased to see the beginnings of this rollout.  Earlier this year the ROOT Zones were signed with DNSSEC.  .TM, who CommunityDNS helped sign in 2009, was in the first group of registries to have their DS record anchored in the ROOT.

Security-DNS.net – Zone Signing Made Simple
Having developed and run DNSSEC testbeds for various ccTLDs in 2004, 2005 and 2007, along with our efforts in signing .TM, CommunityDNS rolled-out the highly-secure Security-DNS.net tool that may be used for the signing of zones; whether the zones are for the whole registry or for an individual name.  This “Zone signing made simple” DNSSEC signing tool supports NSEC, NSEC3 as well as NSEC3 with OptOut and is 100% compliant and compatible with CommunityDNS, BIND and NSD.

DNSSEC Performance Testing
In 2010 CommunityDNS also conducted extensive testing of CommunityDNS, BIND and NSD platforms and how they handled different sized zones, whether unsigned or signed with DNSSEC.  With Bath University’s Innovation Centre ensuring consistency of testing across the three DNS platforms tested, CommunityDNS easily outperformed BIND and NSD when handling unsigned and signed zones.  The zone sizes created for the test were: 7,691 records, 240,419 records, 19,405,299 records and 57,873,014 records respectfully.  The report illustrates both efficiencies as well as inefficiencies of the various platforms.

Speed:

The greater a platform’s efficiency, the greater the speed with which a platform handles queries.

Capacity:

The greater the speed in handling queries, the greater the capacity for handling exceedingly-large volumes of traffic.

The following charts illustrate CommunityDNS’ efficiency in handling various sized zones whether unsigned or signed.

.Net Names Signed
The day after .net was signed CommunityDNS, in using Security-DNS.net had its DS records in hand for its various .net names.  All of CommunityDNS’ .net names are now fully singed.

CEO Chosen as Trusted Community Representative
Paul Kane, CEO of CommunityDNS, was chosen by ICANN to be one of seven people from around the globe to be a Trusted Community Representative (TCR) who is responsible for safe-guarding a share of the ROOT Zone’s DNSSEC Recovery Key.

IDNs:
Growth and inclusion are two basic elements of the Internet.  This year the rollout of IDNs (Internationalized Domain Names) are allowing ccTLDs to deliver domain names in languages other than the basic Latin character set.  No longer are Internet URLs restricted to the traditional Latin-ASCII character sets, URLs at the top level domain can now be issued in Arabic, Cyrillic, Chinese, and Russian, to name a few.  CommunityDNS has long been a supporter of the use of IDNs and is experienced in handling IDNs.  Prior to IDNs being offered at the TLD level CommunityDNS has a multi-year history of supporting clients who were using IDNs at the secondary domain level.

DNS Resilience:
CommunityDNS was proud to be chosen by the DNS Infrastructure Resilience Task Force to deliver a study regarding the resilience of the DNS for the EU and its Member States.  The study was commissioned by the EU’s Directorate-General for Justice, Freedom and Security.  The study was completed during the first quarter of 2010.

Growth:
CommunityDNS continues its growth in bringing resilience to users of the Internet.  By the end of 2010 CommunityDNS was supporting over 140,000,000 names, which translates to over 68% of the Internet!

Capacity:
“Capacity”, the seemingly hidden word in the general DNS discussion, is highly important for providing for a network that is highly resilient.  Having a platform with a number of distributed nodes is important, but still lacks if “platform efficiency” and “capacity” are not properly figured into the equation.

Hong Kong Traffic Spike
A network can’t easily support over 68% of the Internet without having ample capacity to ensure resilience.  While we have always been able to discuss how optimally designed CommunityDNS’ platforms are, August, 2010, provided an outstanding example of the strength of CommunityDNS’ platform; an event where people took notice.  A traffic spike hit our node in Hong Kong.  For the duration of the spike, lasting just under two hours, CommunityDNS’ node comfortably handled over 863,000 queries per second.  We have seen other DNS platforms fail at having to deal with lesser volumes of traffic.  When extrapolating the amount of queries a single node handled in Hong Kong, you will find as a network CommunityDNS can, today, easily handle 35,383,000 queries per second.  That’s staggering!

Taking on What Other’s Can’t Handle
In the last major attack CommunityDNS ended up answering 50% more queries for the customer as their other DNS providers, also under attack, could not handle the load; thus resolvers were automatically switching more of their traffic to CommunityDNS.  This is not uncommon as where ever networks can’t handle the load CommunityDNS typically absorbs the overflow.

Another item to note about capacity within CommunityDNS’ global network, in 2010, on an average day, CommunityDNS would process 20Gb per second of traffic inbound while also processing 50Gb per second of traffic outbound.  In early 2011 we have already seen this number increase.

So, yes, “Capacity” is very important.

On the Horizon:
For 2011 we expect to play a larger role with our clients regarding DNSSEC and their respective rollouts, further involvement of IDNs and continued network growth. The other element expected to be an item this year is that of IPv6.  Understanding how the Internet has developed greater than originally imagined and understanding the alarming importance of an ever decreasing number of available IPv4 addresses, CommunityDNS incorporated IPv6 into its initial platform design. Since CommunityDNS’ platform was first released the network has been fully native IPv4 and native IPv6 compliant. With that said we look forward to playing a greater roll with our clients in helping to support their IPv6 needs.

So yes, 2010 was a wonderfully busy year for CommunityDNS.  We look forward to an exciting 2011!


Filed under: Anycast, BIND, Capacity, CDNS, Community DNS, CommunityDNS, DDoS, Denial of Service Attacks, Distributed Denial of Services, DNS Resilience, DNS Resolution, DNSSec, DoS, IDN, IPv4, IPv6, Security   |  Leave a Comment
Tags: , , , , , , , , , , , , , , , , ,

DNS – The Basis for Billions

29Nov10

In the midst of “Cyber Monday”, the day traditionally seen as one of the year’s busiest days for online shopping, it is only appropriate to examine the importance DNS plays for online economies. With DNS being at the heart of Internet connectivity it is easy to understand why DNS is important to the growing health of economies whose online health in dollars and euros rest in the billions.

While various online economies appear to be growing, doubts, activity and platform failures still hamper growth. Despite impediments to growth, trends indicate continued signs of growth for the global online economy.

By December 2008 the EU alone had 282.65 million Internet users, translating to 28% of the world’s Internet users. At that time the number of EU citizens who shopped online was 150 million. Adoption of online shopping is greater in some countries over others.

Another interesting trend is the growth of certain online applications, with banking being one such indicator. According to a study from APACS, the UK payments association, from 2000 to 2005 the number of online banking users in the UK grew 505% from 3.5 million to over 21 million users.

When we convert such numbers to money, in 2006 the EU’s online e-commerce market was valued at €106 billion, or $156 billion USD. However, it is interesting when we look at the projections for e-commerce growth. According to a recent Forrester study by 2014 the US’ online economy is predicted to reach $249 billion USD (or just over €190 billion) while the EU’s online economy is predicted to reach €114 billion (or just over $149 billion USD). The top three market drivers for each region’s respective online economies?

US:

  • Consumer electronics
  • Apparel, footware and accessories
  • Consumer hardware, software and peripherals

EU:

  • Books
  • Event ticketing
  • Clothing

Another indicator regarding the growth of online commerce is illustrated in the amount of marketing budgets allocated towards online advertising. In the UK, the EU’s most active online market place, online advertisement overtook traditional TV advertisement for the first time. In this case for the first half of 2009 £1.752 billion (just over €2 billion and just over $2.7 billion USD) was spent on online advertising while only £1.639 billion was allocated towards traditional TV advertisement. Fast forwarding to the 3rd quarter of 2010, in a report by Price Waterhouse Coopers with information from the Interactive Advertising Bureau) Internet-based advertising in the US reached $6.4 billion USD alone (close to €5 billion), representing a 17% increase over the same period of 2009.

While the numbers seem strong there are still barriers to online trade, such as language, geographical segmentation and regulatory issues; such as VAT tax rules, distribution law and intellectual property protection. The EU Commission has been working to decrease the barriers. However, one such impediment to healthy online use has been that of uncertainty due to identity theft and threats from the malicious community. We have also seen where DNS platforms have failed due to heavy traffic spikes due to DDoS attacks.

Therefore while signs for the globe’s various online economies appear healthy and growing, doubts still impede adoption of what could be even healthier, more vibrant e-commerce economies. As such it is necessary for those who build DNS infrastructure, whether the corporate enterprise, hosting companies, ISPs and registrars, to remember the basics for providing for the most resilient form of DNS infrastructure, with those being:

1). An infrastructure incorporating diversity among DNS platforms which include a mix of open source and non-open source platforms.
2). A platform incorporating high levels of security, thus helping citizens develop greater confidence in benefiting from greater options, convenience and savings associated with online purchases.
3). A platform optimized for capacity so as to comfortably handle extremely large volumes of traffic without fear of an infrastructure collapsing under the weight of such levels of traffic.

CommunityDNS, a provider of global DNS anycast services since 1996 with 100% uptime and early adopters of IPv6, DNSSEC and IDNs, developed a non-open source platform that set the bar with regards to security and capacity. Being a non-open source platform that was engineered for security, optimized for capacity and designed for resilience, incorporation within an existing open source-based DNS infrastructure provides for the greatest in platform diversity and resilience.

So while today may be Cyber Monday, it is a good time to reflect on the importance of the billions of Euros and Dollars that circulate through the globe’s various online economies and the role DNS plays in the support of such economies. The economic indicators and trends signal strong and continued growth for online economies, but it is up to DNS and the various infrastructures to ensure design around security, capacity and resilience.


Filed under: Anycast, Capacity, CDNS, Community DNS, CommunityDNS, Cybersecurity, DDoS, Denial of Service Attacks, Distributed Denial of Services, DNS, DoS, E-commerce, EU, Europe, IDN, IPv6, Security, U.S.   |  Leave a Comment
Tags: , , , , , , , , , , , , ,

“Capacity” — The hidden word?

16Nov10

What is so secret about the word, “Capacity”? As I read and talk with people I realize the word, “capacity” is typically missing from the DNS discussion. “Capacity” and “Security” are the two cornerstones to maximizing DNS resilience; both of which are typically missing from the DNS discussion.

Have you seen a single DNS node easily process over 863,000 queries per second? Have you seen a network routinely handle over 50Gbits/second in outbound traffic alone without breaking a sweat?

What is DNS? We all know that the Domain Name System serves as the proverbial address book for the Internet. While most humans find it difficult to remember IP addresses, we need some way to convert our human-brain oriented way of remembering Internet destinations to a destination’s respective numerical IP address; hence the DNS.

What I tend to hear touted about DNS are:

  • “Global”
  • “Anycast”
  • “Node numbers and location”
  • “Bandwidth”
  • “Resolution speed”
  • “IPv6”

What I don’t hear in the overall discussion is that of “Security” and “Capacity”. While I will cover “Security” (meaning more than DNSSEC) in a future post, this post will focus on “Capacity”.

As we know DDoS (Distributed Denial of Service) attacks occur daily. As mentioned in an earlier blog post, A Forrester survey indicated organizations experienced more than 350,000 DDoS attacks in 2009. Another study, from Arbor Networks, yielded a statistic of approximately 3% of the Internet’s traffic is tied to DDoS, or roughly 1,300 attacks each day.

Because of such attacks we have learned where other DNS providers of differing platforms have failed due to not having the capacity to handle the traffic load. Such examples include UltraDNS hit twice in 2009 with regional outages. DNS Made Easy was targeted with a 1.5 hour outage in 2010. Register.com suffered a 3 day attack in 2009 and a more recent attack a couple of days ago.

What do I mean by “capacity”? “Capacity” in this conversation deals with the capacity of the actual DNS platform to handle very large volumes of traffic. I am not talking about the DNS server on which DNS code operates, “DNS platform” refers to the code and its efficiencies in handling DNS. While some consider bandwidth and hardware as the major part of the “capacity” equation, we should be examining the “capacity” of respective DNS platforms as being one of the two cornerstones for truly maximizing DNS resilience. (“Security” being the other cornerstone.) When looking at the overall picture it is easy to see where a slow or inefficient DNS platform can be slow in handling large volumes of DNS lookups or queries. As such throwing bandwidth or servers at the issue does not solve the problem of inefficient DNS platforms. May networks be busy? Yes, but should they be backlogged by the respective DNS platform? No.

A good example of “capacity” occurred in August of 2010 where CommunityDNS’ Hong Kong node experienced a heavy spike in traffic. The spike lasted for just under 2 hours. During that time frame CommunityDNS noticed the Hong Kong node comfortably processed over 863,000 queries per second. What that means is while the system was processing such large volumes of traffic, the platform itself still had plenty of idle time; ready to handle more; ensuring every legitimate query continued to be handled. There was no way of determining if CommunityDNS was the target of a DDoS attack but the fact remains that the platform itself was designed to handle the capacity of exceedingly large volumes of traffic. This also supports the fact that during an average, non-busy period of time, the CommunityDNS network handles 20Gbits per second of traffic inbound while also handling 50Gbits per second of traffic outbound. DNS platforms have faltered over lesser amounts of traffic. Again, the ability to comfortably handle such levels is based on the respective DNS platform’s design. When starting to view the importance of capacity, resolution speed becomes irrelevant as the platform will always be far faster than what a bandwidth provider can deliver.

So yes, when looking at the various factors used in maximizing resilience of the DNS, “capacity” is one of the major cornerstones to a healthy and vibrant Internet.

Why is this important? Why should we always strive to set the bar high? For people the Internet means:

  • Their business
  • Their nation’s online perception
  • Their national, regional and global online economies

So when looking at DNS providers or platforms, be sure to examine the respective platform’s “capacity”.  It’s time for “capacity” to come out of hiding and be part of the standard conversation.


Filed under: Anycast, Capacity, CDNS, Community DNS, CommunityDNS, Cybersecurity, DDoS, Denial of Service Attacks, Distributed Denial of Services, DNS, DNS Made Easy, DoS, E-commerce, IPv6, ISP, Register.com, Security, UltraDNS   |  Leave a Comment
Tags: , , , , , , , , , , , , , , , , , ,

Keep up with CommunityDNS by following them on…

08Nov10

A great way to keep up with CommunityDNS, aside from this blog and website, is to:

“Like” us on Facebook

Track us on Twitter (@CommunityDNS)

Follow us on LinkedIn

See you around!


Filed under: Anycast, CDNS, Community DNS, CommunityDNS, DNS   |  Leave a Comment
Tags: , , , ,

Ensuring Maximum Resilience to the DNS?

27Aug10

Yesterday CommunityDNS noticed a sudden, heavy spike in traffic through its Anycast node in Hong Kong. While comfortably processing queries at 863,000 queries per second for close to 2 hours the occurrence was undeniable. While we can’t say the increase in traffic was specifically due to DDoS, its sudden increase is suspicious and reminds us that DDoS is still a popular tool used by the malicious community.

DoS and DDoS attacks are happening throughout each day. Just as UltraDNS was twice regionally impacted in 2009 by DDoS traffic, Register.com with close to a 3 day outage in 2009, and DNS Made Easy, the recent target creating close to a 1.5 hour outage for its users earlier this month, we (enterprise, ISPs, hosting firms, registrars and DNS providers) are not all immune to such malicious antics. While all queries appeared legitimate in yesterday’s spike, there is no reason to believe CommunityDNS was the intended target for the sudden increase in traffic. However, it still raises the issue of the impact such malicious activity can have on the general user base as well as online economy.

Last year and earlier this year CommunityDNS worked on a study developed for the EU Commission’s office of Directorate-General for Justice, Freedom and Security, regarding the resilience of the DNS for the EU and its member states. The study pointed out the affects such malicious activity has on the confidence of legitimate Internet users. Such affects erode confidence, thus the EU’s online economy not able to reach its full potential. The same concept would apply to any online economy. The study also noted how “suspicious” traffic appeared more elevated in some European cities over others. A recent Forrester survey indicated organizations experienced more than 350,000 DDoS attacks in 2009. Another study, from Arbor Networks, yielded a statistic of approximately 3% of the Internet’s traffic is tied to DDoS, or roughly 1,300 attacks each day.

So as the Internet marches on with the needed ramp up of DNSSEC, the rollout of IDNs and eventually the addition of new gTLDs, the malicious community continues their global activity. Such activity should make us all question, “Are we doing the best we can to ensure maximum resilience for Internet users and online economies?” The best way to ensure maximum resilience for users, businesses and the general online economy is through platform diversity. Where one has an open source-based DNS platform, a non-open source-based platform should be used. A mix of hardware platforms, upon which the open source and non-open source DNS software operates, is also necessary as the hacker community has more tricks up their sleeve than DDoS attacks. Adding hardware and software diversity into an infrastructure with strong security, ample capacity and scalability is the strongest method for ensuring maximum resilience to the DNS.


Filed under: BIND, CDNS, Community DNS, CommunityDNS, Cybersecurity, DDoS, Denial of Service Attacks, Distributed Denial of Services, DNS, DNS Infrastructure Resilience Task Force, DNS Made Easy, DNS Resilience, DoS, EU Commission, Security, UltraDNS   |  Leave a Comment
Tags: , , , , , , , , ,
« Older posts

Recent Entries

Categories

Archives

Follow

Get every new post delivered to your Inbox.