Poorly Configured DNSSEC Domains Used In DDoS Attacks

Following the recent story in the news on how attackers could abuse DNSSEC-secured domains for distributed denial-of-service (DDoS) attacks, Dave Larson, Chief Operating Officer at Corero Network Security commented below.

Dave Larson, Chief Operating Officer at Corero Network Security:

Dave Larson“Neustar has correctly pointed out the additional amplification factor related to misconfigured DNSSEC vs. legacy DNS, where the inclusion of the digital signature allows for a somewhat higher than a normal DNS amplification attack. However, the point that must be stressed related to this or any other DDoS amplification vectors is that operators of any network – whether they include DNS service or not – should have their networks configured not to respond to spoofed IP requests.  In addition, DNS operators should configure their DNS servers not to respond to ‘ANY’ requests in order to squelch the opportunity for the server to be leveraged for malicious use.

“On the flip side, the impact to the receiving end of the attack can be especially problematic. The fragmented and amplified attack technique, utilizing DNS or DNSSEC can cause outages, downtime and potential security implications for Internet Service Providers if they are relying on out-of-band DDoS protection mechanisms. Furthermore, organizations relying on traditional IT and security infrastructure such as firewalls and load balancing equipment are no match for these attacks.  A comprehensive in-line and automatic mitigation method for removing DDoS attacks is the recommended approach for dealing with all types of DDoS attacks – DNS and beyond.”



In this article