• Skip to main content
  • Skip to primary sidebar

DDoS Blog

Cyber Security News

DNSSEC and the Problems it Unintentionally Creates

April 5, 2018 By TheNewsTeam

DNSSEC stands for Domain Name System Security Extensions, the intention of which is to protect DNS entries from attacks. DNS Security has been a focus of recent ‘improved’ security procedures, and if properly configured, adds a helpful layer of security to the DNS protocol through requiring origin authentication and integrity.

However, if DNSSEC is not properly configured, it can actually pose a significant risk of being weaponized to launch volumetric attacks. The additional security DNSSEC necessitates relies on resource-intensive data verification making use of public keys and digital signatures. As a result, the size of DNS response packets becomes markedly bigger than the original queries, which dramatically increases the computational load on DNS servers and increases query response times.

The additional workload also translates into an “amplification factor”, which attackers can exploit to generate DNS amplification attacks. As the size of the response is much larger than the request, an attacker can increase the amount of traffic aimed at the victim and over-exhaust their resources more quickly.

DNSSEC involves complex implementation and negligence or a lack of security awareness on the part of admins can lead to poor configuration and leave DNSSEC-enabled nameservers vulnerable to exploitation.

A DNS amplification attack happens when UDP packets with fake target IP addresses are sent to a publicly accessible DNS server. Each UDP packet makes a separate request to the DNS resolver, typically sending an “ANY” request intending to receive a large number of responses. DNS resolvers with the intention of performing their function then send a large response to the target’s fake IP address, not knowing that the IP address has been spoofed. The target then receives a huge number of responses from its surrounding network infrastructure, leading to a DDoS attack. The attacker can take advantage of this tactic to amplify attacks from a very small initial request. The maximum amplification factor is 54.

In Nexusguard’s Q4 2017 security report, the cybersecurity company found that while overall DDoS attacks had gone down by 12% year over year in 2017, DNS amplification attacks had risen by an astounding 358% over the same period. They found that the top 3 attack vectors for Q4 2017 were DNS amplification attacks at number one, UDP attacks at number two and IP fragmentation attacks at number three. The huge spike in DNS amplification attacks is ironically thought to be the result of abuse of DNSSEC security weaknesses. It is essential to implement basic server hardening by properly configuring DNSSEC on the domain in order to protect the entire network’s security.

Filed Under: DDoS mitigation, DNS Amplification, Types of Attack Tagged With: configuration, DNS amplification attack, DNS nameservers, DNS security, DNSSEC, maximum amplification factor, Nexusguard, UDP

Primary Sidebar

Directory

  • Accidental DDoS
  • Akamai
  • Arbor Cloud
  • Business Rivalry DDoS
  • China Unicom
  • Cloud Computing
  • Cloudflare
  • Corero Network Security
  • DDoS Case Studies
  • DDoS Foundations
  • DDoS History
  • DDoS Landscape
  • DDoS mitigation
  • DDoS Motivation
  • DDoS Protection Services
  • DDoS Scripts
  • DDoS Tools
  • DNS Amplification
  • DNS Flood
  • DoSarrest
  • Extortion DDoS
  • F5 Networks
  • Genie Networks
  • Google
  • Government
  • Hacktivist DDoS
  • HTTP Attack
  • ICMP Flood
  • Imperva Incapsula
  • Infrastructure-related attacks
  • IoT DDoS
  • IP Fragmentation Attack
  • IP Null Attack
  • Kentik
  • LAND attack
  • MemCached DDoS
  • Mitigation Techniques
  • Multi-vector Attack
  • Nation State DDoS
  • Neustar
  • Nexusguard
  • NTP Amplification Attack
  • Null Routing
  • PING Flood
  • Ping of Death
  • Random Recursive GET attack
  • Recursive GET attack
  • Reflection Attack
  • Script Kiddies DDoS
  • Slowloris
  • Slowloris
  • Smokescreen DDoS
  • Specially Crafted DDoS
  • SSL-based DDoS
  • SYN Floods
  • SYN-ACK Flood
  • Types of Attack
  • Types of Mitigation
  • UDP Flood
  • Uncategorized
  • Verisign
  • Verizon
  • XML-DoS
  • Zero-day DDoS Attack
Copyright © 2017 Disclaimer. Privacy Policy
All product names, logos, and brands are property of their respective owners.