|
How Savvy Attackers Are Using Our Defenses Against Us – In recent study of one sector’s DNSSEC usage, we found more than 1,000 domains that weren’t properly managed and are capable of being manipulated to amplify already dangerous DDoS attacks. (Click to Download)Neustar this week published a research report, “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us,” detailing how Domain Name System Security Extensions (DNSSEC) can be subverted as an amplifier in Distributed-Denial-of-Service (DDoS) attacks. Neustar determined that on average, DNSSEC reflection can transform an 80-byte query into a 2,313-byte response, an amplification factor of nearly 30 times, which can easily cause a network service outage during a DDoS attack, resulting in lost revenue and data breaches.
“DNSSEC emerged as a tool to combat DNS hijacking, but unfortunately, hackers have realized that the complexity of these signatures makes them ideal for overwhelming networks in a DDoS attack,” said Joe Loveless, Director Product Marketing, Security Services, Neustar. “If DNSSEC is not properly secured, it can be exploited, weaponized and ultimately used to create massive DDoS attacks.”
DNSSEC was designed to provide integrity and authentication to DNS, which it accomplishes with complex digital signatures and key exchanges. As a result, when a DNS record is transferred to DNSSEC, an extraordinary amount of additional information is created. Additionally, when issuing the DNS command, “ANY,” the amplified response from DNSSEC is exponentially larger than a normal DNS reply.
Key findings and recommendations from “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us” include:
“Neustar is focused on using connected sciences to connect people, places and things, which is why network security is so imperative,” said Loveless. “As more organizations adopt DNSSEC, it is critically important to understand how to secure it. The time to fix it is now.”
For more information about obtaining a copy of “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us,” click here.
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byVerisign