Share this article:
Researchers this week described how a DNSSEC-based flood attack could easily knock a website offline.
DNSSEC is not invincible.
Researchers this week described how a DNSSEC-based flood attack could easily knock a website offline and allow for the insertion of malware or exfiltration of sensitive data.
The intent of Domain Name System Security Extensions, or DNSSEC, is to bolster DNS through a series of complex digital signatures. But if it is not secured properly it can fall victim to cache poisoning and malicious redirection attacks, experts warn.
Researchers at Neustar explained in a paper, “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us” on Tuesday how DNSSEC can be reflected and leveraged by “ANY” queries to carry out DDoS attacks. “ANY” queries are favored by hackers; responses to them are exponentially larger than a normal DNS reply, researchers claim.
“DNSSEC emerged as a tool to combat DNS hijacking, but unfortunately, hackers have realized that the complexity of these signatures makes them ideal for overwhelming networks in a DDoS attack,” Joe Loveless, the Director of Product Marketing, Security Services at Neustar said Tuesday, “If DNSSEC is not properly secured, it can be exploited, weaponized and ultimately used to create massive DDoS attacks.”
As part of an experiment the firm’s researchers carried out in June, it located domains in a high-adoption community and checked for DNSSEC records. The researchers found a staggering 80 percent of the domains it looked at responded to DNS queries looking for nameservers that responded to “ANY” queries, meaning 80 percent of the domains they found could be repurposed as a DDoS amplifier and used maliciously.
80 percent of the domains they found could be repurposed as a DDoS amplifier and used maliciously
For a DNSSEC reflection attack, a hacker really just needs a botnet and a target’s IP address. The attacker can get the botnet to run a script using the “ANY” query and trick nameservers into reflecting DNSSEC responses to a target.
On average, the firm’s research found that a DNSSEC reflection attack could have the ability to transform an 80-byte query into a whopping 2,313-byte response – an amplification factor of 30x.
There could be several negatives outcomes, in addition to a DDoS attack, according to the firm.
DNSSEC attacks could divert the attention of an administrator and allow attackers to insert malware or steal information from affected systems. The attacks could also result in lost revenue and cause a company’s DNS bill to skyrocket, assuming the domain owner pays for DNS by the query.
Neustar conducted the research to follow up on statistics it found in April that illustrated a steep rise in DDoS attacks that used DNSSEC to amplify DNS reflection attacks.
The company claims the easiest way to prevent a DNSSEC attack is to simply avoid owning an exploitable DNSSEC signed domain – but that might not be so easy. Adoption around DNSSEC has been slow but use of the technology is mandated across government entities. Neustar claims that in some situations it may pay dividends for companies to make certain their DNS provider doesn’t respond to “ANY” queries, or at least has some sort of defense mechanism installed. Blocking DNS traffic from certain domains is another option – but opens up an entirely different can of worms by sometimes blocking legitimate queries.
Share this article:
Ransomware response demands a whole-of-business plan before the next attack, according to our roundtable of experts.
Underground marketplace pricing on RDP server access, compromised payment card data and DDoS-For-Hire services are surging.
Attackers are targeting students and faculty alike with malware, phishing, DDoS, Zoom bombs and more, the FBI and CISA said.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
About The Author
More Stories
From Commitments to Practice: Internet Society’s Priorities for WSIS+20 Implementation
Final Results of the 2026 Internet Society Board of Trustees Elections and IETF Selections
Community Snapshot—March