Parler’s Other Security Risk: DNS Denial-of-Service
Most websites risk disruptions because they rely on a single provider for one or more cloud services. Every website requires a DNS server to route internet traffic based on its domain name, but few have a backup option if the service is denied. Indeed, 85% of the top 100,000 Alexa sites critically depend on a single third-party for DNS according to a recent study by researchers at Carnegie Mellon University. Unfortunately, if that providers’ service goes down, then the site is vulnerable to Distributed Denial of Service (DDoS) attacks and service outages. Having redundant DNS capability with more than one provider addresses the problem.
Overall, 40% of websites in the study are critically dependent on just three DNS services — Amazon Route 53, Cloudflare and DNSMadeEasy. That jumps to 72% when including in-direct dependencies associated with certificate authorities (CAs). CAs support HTTPS security and are a standard requirement for today’s website operators. About half utilize a third-party DNS service themselves, which can make them outsized weak links in the supply chain. For example, 2% of the top 100k sites are critically dependent on DNSMadeEasy because they use the service directly, but that figure rises to 25% when taking into account that Digicert, a leading CA, relies on DNSMadeEasy on for DNS.
When Amazon Web Services terminated its terms of service with Parler, it in many ways initiated a legal denial of services “attack,” with its Amazon Route 53 DNS service being just one of many cloud services that were turned off, which added to its mounting security woes. The social media service has since picked up DNS services from a Russian firm. As we continue to debate how market power impacts vendor and technology lock-in, please remember to consider the small cloud services along with the others that may get all the headlines.
Amazon Web Services (AWS) and NS1 are sponsors of The New Stack.
Feature image via Pixabay.