“The attackers are no superheroes”
07.12.2021 07:35

Robert Schischka is CEO of nic.at and its sister company ipcom GmbH. In this interview, he explains why attacks on DNS infrastructure are on the increase and confirms that governments have the issue in their sights, too.


The RcodeZero DNS Anycast service has been around for ten years now. Why did nic.at decided to set up its own service in the first place?
For top-level domains (TLDs), availability is the Holy Grail. Our servers have to work, we simply cannot afford to factor in any down time for maintenance. This made it all the more important for us to build up our own Anycast expertise. Doing so gives us a control mechanism, as well as a better insight into monitoring data. We wanted to find out whether attacks are taking place and, if so, where are they coming from? What can we optimise? The core idea was for us to only use this service for our .at zone. But given that our industry had always been defined by strong, trust-based partnerships, we soon opened up the service for other registries, registrars and companies.


What were the milestones of the past ten years?
We are delighted to have won over so many TLDs with our product. Top-level domains such as .eu and .nl are significantly larger than we are. People trust us, our quality shines through. Within certain parameters, being a smaller provider allows us to respond to customer requests with a great deal of flexibility. Swiss TLD .ch was looking to establish a server location close to Zurich. This request made sense from a network topology point of view, which is why we set up a node there. Another important step was gaining a foothold on the secondary market. We are constantly being approached to build bespoke solutions for registrars so that we can integrate our service into their processes and operations. This is one of our strong points – as developers of our own product we are in a position to implement custom specifications, provided that it is commercially viable.


Anycast is designed to distribute loads optimally and absorb outages in the event of an attack on the DNS infrastructure. Are attacks like these on the rise?
We’re seeing a huge increase in the number of attacks motivated by revenge or extortion. Betting portals are constantly having to swat away would-be attackers, especially before major events such as world championships. As a result, the importance of putting in place adequate protection against distributed denial-of-service (DDoS) attacks has risen. RcodeZero DNS spreads the infrastructure across multiple networks and continents.


What form do these attacks take?
There are attack patterns that can elicit major responses with only a small packet. Attack machines can be hired for relatively little money. When it comes to the attackers on the internet we are not talking about superheroes with special technical skills. One way to put it is this: someone uses postcards to order thousands of mail order catalogues to a specific address. The letter box soon spills over and pallets of catalogues are left to stack up around the front door. The recipient now has a major problem on their hands, while it costs the person who sent the postcards virtually nothing. And this is how it works with attacks on the DNS infrastructure. The responses are much bigger than the queries due to the protocols involved. DNS is left facing the issue that the majority of traffic is associated with a stateless protocol for which the sender’s address can be falsified. This is the basis of many attacks and also the reason why attacks on the DNS are so popular. They are relatively simple. And it is much easier to launch a destructive attack than to mount a constructive defence. For this reason, governments have identified DNS and domains as a critical topic.


And what are policymakers doing?
DNS features prominently in the drafts of the new NIS 2 Directive for the EU’s cybersecurity strategy. It also prioritises topics such as the resilience and vulnerability of our digital society, whereas previously policymakers had always tended to place a greater emphasis on securing physical infrastructure. So it’s not just electricity that is critical for European infrastructure, the lights will also go out if the DNS fails. There is increased awareness that all elements of the infrastructure have to be made secure. Of course, this also means more regulation and tighter security requirements for DNS operators. This has the potential to become a driver for Anycast services.


What is ipcom doing in the face of these increasingly frequent attacks?
The advantage of Anycast is that services can be expanded. We are not just talking about the use of higher-performance servers here, but adding more of them. It’s a constant arms race. We bought a DDoS mitigation service from Cloudflare because threats in the terabyte range are on the increase. What is needed is a provider who is in a position to mitigate these threats globally. Thus far, these terabyte-range threats have remained exactly that, but they could ultimately become successful at some point.


Is RcodeZero DNS also interesting for customer groups other than registries and registrars?
There is a huge amount of potential for enterprise customers, banks, utilities and the like. These are customers that are dependent on information technology, and whose core business is not DNS operations. Many of these companies have their own infrastructure and the potential to add services from external providers to their portfolios – but that represents a sales-side challenge for us.


RcodeZero DNS has been around for ten years. What direction will the product take going forward?
The DNSSEC signing service, which is included free of charge in every RcodeZero DNS bundle, will become increasingly important. It is a security extension for the DNS that guarantees the authenticity and data integrity of DNS transactions. This is a complex, specific topic that we have addressed extremely effectively. Many registrars are looking to outsource this service.


On top of that, we are continuing to expand our servers, and their architecture is changing, too: we are setting up fewer – but far more powerful – machines per location. We will carry on making more use of virtual servers so that we can respond to customer requirements more rapidly. Pinpointing locations and continuous network optimisation is a challenge. In the early days, we put an immense amount of effort into sending physical hardware to the USA: it was a logistical headache, starting with complex customs formalities, all the way through to a lack of contacts on the ground. But we don’t have this issue any longer with our virtual servers. Ongoing optimisation and adaptations mean that our Anycast service will certainly keep us occupied over the next ten years.