Verisign Studies: Externally Managed DNS Improves Uptime; DDoS Hits Two-Thirds Of U.S. Organizations

Organizations that outsource DNS management to specialized service providers experience half the downtime of those that manage DNS internally or rely on their ISPs, according to a study commissioned by Verisign. And, in another report, a Verisign survey showed that nearly two-thirds of the responding companies experienced distributed denial-of-service (DDoS) attacks, although more than 80% of them have some sort of DDoS protection, either on premises or through a service provider.

The DNS study of the top 1,000 sites ranked by Web information company Alexa showed that internally managed and ISP-managed global domains were available an average 99.7% of the time, or more than 4 minutes of downtime per day. Externally managed domains were available an average 99.85% of the time, just over 2 minutes of downtime daily.

The Verisign report notes that even a few minutes downtime can cost thousands, or even tens of thousands, of dollars per day on high-volume websites. The availability for U.S. domains was higher than the global average for both internally/ISP-managed and externally managed domains.

The report speculates that DNS service providers have higher availability because of their use of Anycast DNS resolution, which assures there is always a server available to respond to DNS queries. Verisign combined the data for both locally managed domains and those managed by ISPs under internal because most ISPs don't invest heavily in assuring maximum availability, says Sean Leach, Verisign VP of technology with the network intelligence and availability group.

"For ISPs, DNS is really a cost center," he said. "It's something they have to provide; it doesn't make them any money. Some ISPs do a very good job, but for the vast majority, it's an afterthought." Verisign manages top-level domains including .com, .net, .gov and .edu through its services.DDoS is a major security problem, according to the 225 U.S. IT executives and decision makers surveyed in March. Four out of five were extremely or very concerned about DDoS attacks, and about two-thirds expect the frequency and strength of attacks to increase or stay the same in the next two years.

A majority (63%) of the respondents say they had experienced at least one DDoS attack in the past year, and one in nine say their organizations had suffered six or more attacks. Nearly half of those attacked say that their website was down for five or more hours, and just under a quarter of the victim organizations say their sites were down for 12 hours or more.

All but 16% of the respondents have some sort of DDoS protection in place. That protection is evenly split between in-house and third-party managed services. The majority of those managed services rely on over-subscribing bandwidth to mitigate the impact of DDoS. This adds expense, and attackers can counter by increasing their bandwidth.

While there are specialized anti-DDoS appliances on the market from vendors such as Arbor Networks, most organizations rely on their firewalls and/or network intrusion prevention systems for in-house mitigation.

"A lot of people think they have DDoS protection when they really don't," says Leach. "Firewalls only protect you from very simple DDoS attacks like SYN floods. Bad guys are using very application-specific attacks, and always have more bandwidth than you." Leach also said that most organizations have neither the expertise nor the threat intelligence for effective DDoS mitigation, and recommends specialized anti-DDoS managed services (such as Verisign's DDoS Protection Services).See more on this topic by subscribing to Network Computing Pro Reports Research: 2011 Strategic Security Survey (subscription required).