Cloud Management, Automation & Cybersecurity for DDI
FREE Webinar On-Demand

Replay the discussion!

Hear why TCPWave was rated one of the top 25 cybersecurity products in 2017 by CIO Applications Magazine.

Held December 6, 2017  

DNS is the most popular protocol used for computer communication today, however with that it attracts deviant criminals who produce malicious attacks for illegal gain. One of the hottest trends in DDoS is the multi-vector attack, combining flood, application and state exhaustion attacks against infrastructure devices all in a single, sustained attack.

Catch a replay on-demand

Request Access

These vulnerabilities have put tremendous pressure on security experts lately, in bringing out effective defense solutions. These attacks could be implemented diversely with a variety of tools and codes. Topping the list of known major DNS attack types are:

  • Denial-Of-Service
  • DNS Query Flood
  • DNS Amplification/ Reflection
  • DNS Vulnerabilities
  • DNS Hijacking Unauthorized
  • DNS Changes
  • DNS Data Leakage
  • DNS Man-In-The-Middle

Since there is not a single solution for Denial of Service, this attack has managed to prevail on the internet for nearly a decade. As a matter of fact:

  • According to Cisco as stated in their 2016 Annual Security Report, 91% of malware uses DNS to carry out campaigns – DNS is an open door to the World Wide Web!
  • The 2017 SANS Threat Landscape Survey ranked DDoS as the third-most significant threat
  • According to ZDNet, the average DDoS attack cost for businesses rose this year to over $2.5 million (on average per organization) with the loss of revenue at peak times caused by DDoS disruption can sometimes reach beyond $100,000 an hour
  • Neustar says that the enterprise is finding it more difficult than ever to stem the financial cost of DDoS campaigns. DDoS attack rates are increasing and businesses are being forced to pay out for damage control and repair, as they are losing more revenue through online service disruption than ever before

Does this keep you awake at night?

TCPWave DNS, DHCP and IP Address Management (DDI) software provides all the traditional processes expected of a top rated DDI solution. However, when it comes to cybersecurity, TCPWave provides unsurpassed Cloud Management, Automation and Security using RESTful API’s and a proprietary secure transport built using 1024-bit encryption.

DNS is imperative for network operation and essential business operation in today’s marketplace. Because of this, DNS services are a prime target for attack to render a company’s networked resources and their virtual presence unreachable to the rest of the world. Even worse, if hackers could change the DNS records, then they could instead redirect everyone to sites they control. Since DNS is built upon cooperation between millions of servers and clients over insecure and unreliable protocols, it is uniquely vulnerable to disruption, subversion, and hijacking. Threat actors are utilizing many new techniques to disrupt businesses, including Generic Routing Encapsulation (GRE) based flood attacks and Connectionless Lightweight Directory Access Protocol (CLDAP) reflection techniques.

And to make matters worse, when Internet of Things (IoT) connected devices are left unsecured in an enterprise, they can act as pathways to penetrate business network defenses as well as become slave nodes themselves which are included in the DDoS traffic stream. For example, the Mirai botnet works by exploiting the weak security on many IoT devices finding victims by constantly scanning the internet for IoT devices that have factory default or hard-coded usernames and passwords. Detecting infected IoT gadgets is more difficult because, unlike PCs, an infected webcam or DVR doesn't show its owner any symptoms and, while simply rebooting a device will usually get rid of the Mirai malware, without a firmware update, it's still vulnerable to being re-infected.

During the Webcast, you will learn how TCPWave performs the following and helps protect your network:

  • Secure External DDI Cloud Automation - External DNS diversification is mandatory in today’s networks. Whether it’s multiple DNS cloud hosting or dual DNS servers running different code, TCPWave can manage all of this under a single pane of glass using workflows. You will find out how TCPWave supports Cloud Automation during the webinar.
  • DDoS Attack Mitigation – Anyone responsible for preventing cyber-attacks knows that DDoS has the most devastating effects hampering IT security. Simply put, DDoS attacks can take down the largest organizations. From a high level, DDoS attacks can be divided into three types: Volume Based Attacks (i.e. UDP floods, ICMP floods, and other spoofed-packet floods); Protocol Attacks (SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS, etc.); and Application Layer Attacks (A.K.A. layer 7 DDoS attack) which over-exercises specific functions or features of a website with the intention to disable those functions or features. The only true way to successfully mitigate DDoS attacks is to acquire the DNS horsepower to absorb the attacks. When it comes to external DNS, you can either host your own solution or outsource to an external DNS provider. You’ll find out how TCPWave effectively supports both solutions during the webinar.
  • Dual DNS Protection - When your primary BIND DNS becomes compromised, the TCPWave monitoring service alerts the administrator who can shut down the BIND DNS server and bring up the Unbound DNS for Caching or the NSD DNS for Authoritative Services. This concept will be described in more detail during the webinar.
  • Dynamic DNS Firewall - TCPWave allows DNS firewall rules to be defined in the GUI and apply those rules dynamically across all target DNS servers. There is no need to log into the appliances or do anything. There’ll be more about this capability during the webinar.
  • Dynamic Spin-Up of Cloud DNS Servers – In October 2016, a cyberattack on the servers of Dyn, the US company that controls most of the DNS infrastructure, caused sites like The Guardian, Reddit, CNN and many others to go offline. TCPWave allows the diversification of DNS over multiple DNS cloud providers – Amazon Web Services (AWS), Google Cloud Platform, Verisign, Microsoft Azure, Oracle/Dyn, Akamai. This balances DNS query processing during day-to-day operations and allows you to dynamically increase or decrease DNS bandwidth during peak operations or during DDoS attacks. During the webinar, you will find out how TCPWave allows you to dynamically run your DNS without major OpEx disruptions to your budget.
  • Segregation of Duties – TCPWave allows concise definitions of administrative duties that allows you to control the risk of human error or malicious DNS/DHCP activities through proper division of tasks between employees. TCPWave makes this simple yet powerful. We’ll describe this function during the webinar.
  • Terraform Secure Workflow - Customers who need to implement DDI into a workflow will appreciate the TCPWave Terraform Secure Workflow capability. Terraform allows automated DDI workflows to be implemented into internal applications and cloud instances. The workflows allow updates to subnets, objects, DHCP, IP blocks, and more. This will be described in more detail during the webinar.
  • DDI Migration – TCPWave and ELEVI have experience migrating large enterprises from existing DDI solutions to TCPWave - a much more cost effective and more modern solution. Migration capabilities and the results we have achieved with current customers will be described during the webinar. Please contact us if you would like a deep dive into this topic.

To learn more, download the following brochures, articles, videos and whitepapers:

TCPWave Brochure

This brochure provides an overview of the TCPWave DDI functionality and covers the IP Address Management (IPAM) functionality, Simplified Dashboard, Auto Discovery, Switch Port Discovery, Cloud Discovery, Cloud Management, Terraform Cloud Workflow Integration, and many more topics.

CIO Cyber 25 Article

The Top 25 Cyber Security Companies 2017 article from CIO Applications describes how TCPWave is built to absorb massive DDoS attacks.

Gartner Report

The article from Gartner entitled On Demand Diversified External DNS is Here can be download from this location. The article describes how TCPWave mitigates a DDoS attack and how the TCPWave solution provides you advanced Cloud Integration and a Robust RESTful Framework.

External DNS Diversity Video

Download the 15-minute External DNS Diversity video here. This video shows how easy it is to configure 5 different external DNS cloud instances using the TCPWave web-based GUI, and much more.

TCPWave Leader

TCPWave Leader – Download this short 1-page overview which explains why TCPWave is a leader in the DDI Industry.

TCPWave Virtual Machine Installation

This document describes how you can install the TCPWave Virtual Machine. See for yourself how easy it is to install the TCPWave IPAM VM and the Remote VM from OVA files. If you’d like to take TCPWave out for a test spin, you will follow these instructions.

DNS/DHCP Fundamentals

If you are new to DNS and DHCP, this easy to read and follow document is a good place to start.

TCPWave IPAM and Remote Deployment in AWS

This guide explains how to take the TCPWave IPAM and Remote images and install them under Amazon Web Services (AWS). See how easy this is to perform.

Appliance Datasheet

TCPWave provides a complete portfolio of hardware and software appliances. This includes our TW230, TW330, TW440 and TW740 hardware appliances from Dell. As an example, you can download a copy of the TW330 Appliance datasheet here. We also provide software appliances that support VMware, KVM, AWS and others.

Hardening DNS

The National Institute of Standards (NIST) has published the Secure Domain Name System (DNS) Deployment Guide18, which is a comprehensive document on securing DNS. This is to be used in addition to the hardening guides from the software manufacturer of your DNS server. A good way to gauge the strength of your DNS services is to engage a penetration test with DNS in scope to check. It’s not foolproof, but it can give you an idea of what you might have missed.

For additional information, please contact Steve Wiggins and Jimmy Reiley