A majority or 80% of DNSSEC-secured domains could be used to amplify distributed denial of service (DDoS) attacks, at an average factor of 28.9 times, according to a recent report by Neustar which studied nearly 1,350 domains with DNSSEC deployed.
The report points out that the domains had not properly deployed DNSSEC-signing of their domains, leaving them vulnerable to DDoS attacks.
"Neustar has correctly pointed out the additional amplification factor related to misconfigured DNSSEC vs. legacy DNS, where the inclusion of the digital signature allows for a somewhat higher than a normal DNS amplification attack,” says Corero Network Security COO Dave Larson, in a statement.
“However, the point that must be stressed related to this or any other DDoS amplification vectors is that operators of any network – whether they include DNS service or not – should have their networks configured not to respond to spoofed IP requests. In addition, DNS operators should configure their DNS servers not to respond to ‘ANY’ requests in order to squelch the opportunity for the server to be leveraged for malicious use.”
Larson adds that on the flip side, the impact to the receiving end of the attack can be especially problematic. The fragmented and amplified attack technique, utilizing DNS or DNSSEC can cause outages, downtime and potential security implications for Internet Service Providers if they are relying on out-of-band DDoS protection mechanisms. Furthermore, organizations relying on traditional IT and security infrastructure such as firewalls and load balancing equipment are no match for these attacks.
“A comprehensive in-line and automatic mitigation method for removing DDoS attacks is the recommended approach for dealing with all types of DDoS attacks - DNS and beyond,” noted Larson.