News Feature | August 26, 2016

Research Shows DNSSEC Vulnerabilities Are Prolific

Christine Kern

By Christine Kern, contributing writer

DNSSEC Vulnerabilities

Neustar Report finds that savvy DDoS attackers are using our defenses against us.

Domain Name System Security Extensions (DNSSEC) were created in an effort to protect DNS from attacks and cache poisoning, but they can also afford cybercriminals a tool for destruction when not properly used. A Neustar study found more than 1,000 improperly managed domains in a single sector that were thus vulnerable to manipulation and amplification of DDoS attacks.

Neustar published DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us, a research report detailing how DNSSEC can be subverted as an amplifier in Distributed-Denial-of-Service (DDoS) attacks. According to Neustar, on average, DNSSEC reflection can transform an 80-byte query into a 2,313-byte response, an amplification factor of nearly 30 times. This amplification could easily result in network service outages during a DDoS attack, resulting in lost revenue and data breaches.

This report follows an April 2016 Security Operations Report by Neustar, which outlined the spike in DDoS attacks that exploit and abuse the DNSSEC to amplify DNS reflection attacks. That information led Neustar to analyze other domains that could be exploited for DDoS attacks, which revealed some disturbing trends.

“DNSSEC emerged as a tool to combat DNS hijacking, but unfortunately, hackers have realized the complexity of these signatures makes them ideal for overwhelming networks in a DDoS attack,” said Joe Loveless, Director Product Marketing, Security Services, Neustar. “If DNSSEC is not properly secured, it can be exploited, weaponized and ultimately used to create massive DDoS attacks.”

Neustar explains DNSSEC was designed to provide integrity and authentication to DNS through complex digital signatures and key exchanges. That means that when a DNS record is transferred to DNSSEC, a wealth of additional information is created, and subsequently, when issuing the DNS command, “ANY,” the amplified response from DNSSEC is exponentially larger than a normal DNS reply.

The study revealed:

  • DNSSEC Vulnerabilities Are Prolific — Neustar examined one industry with 1,349 domains and determined 1,084 of them (80 percent) could be maliciously repurposed as a DDoS attack amplifier (they were signed with DNSSEC and responded to the “ANY” command).
  • The Average DNSSEC Amplification Factor is 28.9 — Neustar tested DNSSEC vulnerabilities with an 80-byte query, which returned an average response of 2,313-bytes. The largest amplification response was 17,377-bytes, 217 times greater than the 80-byte query.
  • The Anatomy of a DNSSEC Reflection Attack — Neustar illustrates the command and control servers required to run the botnets and scripts that target DNS name servers to execute DNSSEC amplification attacks.
  • Best Practices for Mitigation — For organizations that rely on DNSSEC, Neustar recommends ensuring that your DNS provider does not respond to “ANY” queries or has a mechanism in place to identify and prevent misuse.

“Neustar is focused on using connected sciences to connect people, places and things, which is why network security is so imperative,” said Loveless. “As more organizations adopt DNSSEC, it is critically important to understand how to secure it. The time to fix it is now.”