NordVPN Promotion

Home / Industry

How Savvy DDoS Attackers Are Using DNSSEC Against Us

How Savvy Attackers Are Using Our Defenses Against Us – In recent study of one sector’s DNSSEC usage, we found more than 1,000 domains that weren’t properly managed and are capable of being manipulated to amplify already dangerous DDoS attacks. (Click to Download)Neustar this week published a research report, “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us,” detailing how Domain Name System Security Extensions (DNSSEC) can be subverted as an amplifier in Distributed-Denial-of-Service (DDoS) attacks. Neustar determined that on average, DNSSEC reflection can transform an 80-byte query into a 2,313-byte response, an amplification factor of nearly 30 times, which can easily cause a network service outage during a DDoS attack, resulting in lost revenue and data breaches.

“DNSSEC emerged as a tool to combat DNS hijacking, but unfortunately, hackers have realized that the complexity of these signatures makes them ideal for overwhelming networks in a DDoS attack,” said Joe Loveless, Director Product Marketing, Security Services, Neustar. “If DNSSEC is not properly secured, it can be exploited, weaponized and ultimately used to create massive DDoS attacks.”

DNSSEC was designed to provide integrity and authentication to DNS, which it accomplishes with complex digital signatures and key exchanges. As a result, when a DNS record is transferred to DNSSEC, an extraordinary amount of additional information is created. Additionally, when issuing the DNS command, “ANY,” the amplified response from DNSSEC is exponentially larger than a normal DNS reply.

Key findings and recommendations from “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us” include:

  • DNSSEC Vulnerabilities Are Prolific – Neustar examined one industry with 1,349 domains and determined 1,084 of them (80 percent) could be maliciously repurposed as a DDoS attack amplifier (they were signed with DNSSEC and responded to the “ANY” command).
  • The Average DNSSEC Amplification Factor is 28.9 – Neustar tested DNSSEC vulnerabilities with an 80-byte query, which returned an average response of 2,313-bytes. The largest amplification response was 17,377-bytes, 217 times greater than the 80-byte query.
  • The Anatomy of a DNSSEC Reflection Attack – Neustar illustrates the command and control servers required to run the botnets and scripts that target DNS nameservers to execute DNSSEC amplification attacks.
  • Best Practices for Mitigation – For organizations that rely on DNSSEC, Neustar recommends ensuring that your DNS provider does not respond to “ANY” queries or has a mechanism in place to identify and prevent misuse.

“Neustar is focused on using connected sciences to connect people, places and things, which is why network security is so imperative,” said Loveless. “As more organizations adopt DNSSEC, it is critically important to understand how to secure it. The time to fix it is now.”

For more information about obtaining a copy of “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us,” click here.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By GoDaddy Registry, World-Leading Provider of Domain Name Registry Services

GoDaddy Registry (formerly Neustar Registry) is one of the world’s largest and leading domain name registry providers. We operate top-level domains (TLDs) on behalf of sovereign nations, city governments, global brands and domain registries so that people worldwide can bring their ideas to life online.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

NordVPN Promotion