DNSSEC abusable for massive DDoS amplification attacks

Research by information services provider Neustar shows that a security feature for the domain name system to combat hijacking can be subverted and used to amplify denial of service attacks.

Attackers have discovered [registration required] how to abuse the Domain Name System Security Extensions (DNSSEC), taking a small, 80-byte query and transforming it into a 2313-byte sized response.

This is an amplification factor of 28.9, but DNSSEC reflection attacks can return queries as large as 17,377 bytes, or 217 times larger than the original 80-byte query, Neustar said.

The amplification or reflection attacks are due to the complex digital signatures and key exchanges that DNSSEC uses to ensure integrity and authentication of DNS data.

When traditional, unsecured DNS record are protected by DNSSEC, much more information is created for them.

A DNS query for 'ANY' information (that is, for the requested server to pull any records that relate to the user's request of it) will therefore return far more information than for non-DNSSEC protected domains.

Neustar said it tested one industry sector with 1349 domans and found that 80 percent of these were signed with DNSSEC and responded to the ANY command, returning the large responses that attackers could reflect against targets and flood their networks and servers.

To prevent DNSSEC reflection denial of service attacks, organisations should ensure that their DNS servers or the providers they use do not respond to ANY queries that create the large responses.

If the ANY query is needed, organisations need to have in place monitoring systems and mechanisms to prevent it from being abused by attackers, Neustar said.