Administrators who have configured their domains to use DNSSEC: Good job! But congratulations may be premature if the domain hasn't been correctly set up. Attackers can abuse improperly configured DNSSEC (Domain Name System Security Extensions) domains to launch denial-of-service attacks.
The DNS acts as a phone book for the Internet, translating IP addresses into human-readable addresses. However, the wide-open nature of DNS leaves it susceptible to DNS hijacking and DNS cache poisoning attacks to redirect users to a different address than where they intended to go.
DNSSEC is a series of digital signatures intended to protect DNS entries from being modified. Done properly, DNSSEC provides authentication and verification. Done improperly, attackers can loop the domain into a botnet to launch DDoS amplification and reflection attacks, according to the latest research from Neustar, a network security company providing anti-DDoS services.
"DNSSEC emerged as a tool to combat DNS hijacking, but unfortunately, hackers have realized that the complexity of these signatures makes them ideal for overwhelming networks in a DDoS attack," said Neustar's Joe Loveless. "If DNSSEC is not properly secured, it can be exploited, weaponized, and ultimately used to create massive DDoS attacks
In a study of more than 1,300 DNSSEC-protected domains, 80 percent could be used in such an attack, Neustar found.
The attacks rely on the fact that the size of the
ANY response from a DNSSEC-signed domain is significantly larger than the
ANY response from a non-DNSSEC domain because of the accompanying digital signature and key exchange information. The
ANY request is larger than a normal server request because it asks the server to provide all information about a domain, including the mail server MX records and IP addresses.
Armed with a script and a botnet, attackers can trick nameservers into reflecting DNSSEC responses to the target IP address in a DDoS attack. A DNSSEC reflection attack could transform an 80-byte query into a 2,313-byte response, capable of knocking networks offline. The biggest response the researchers received from a DNSSEC-protected server was 17,377 bytes.
The number of DNS reflection and amplification DDoS attacks abusing DNSSEC-configured domains have been growing. Neustar said the overall number of attacks using multiple vectors, which probe defenses until they succeed, is on the rise, and more than half of these multivector attacks involve reflection attacks.
Internet security company Akamai observed a similar pattern, as it found 400 DNS reflection/amplification DDoS attacks abusing a single DNSSEC domain in the fourth quarter of 2015. The domain was used in DDoS attacks against customers in multiple verticals, suggesting the domain had been included into a DDoS-for-hire service.
"As with other DNS reflection attacks, malicious actors continue to use open DNS resolvers for their own purpose -- effectively using these resolvers as a shared botnet," Akamai wrote in its quarterly State of the Internet Security report back in February.
The problem isn't with DNSSEC or its functionality, but rather how it's administered and deployed. DNSSEC is the best way to combat DNS hijacking, but the complexity of the signatures increases the possibility of administrators making mistakes. DNS is already susceptible to amplification attacks because there aren't a lot of ways to weed out fake traffic sources.
"DNSSEC prevents the manipulation of DNS record responses where a malicious actor could potentially send users to its own site. This extra security offered by DNSSEC comes at a price as attackers can leverage the larger domain sizes for DNS amplification attacks," Akamai said in its report.
To prevent a DNSSEC attack, configure DNSSEC correctly on the domain so that it cannot be used to amplify DNS reflection attacks. That's easier said than done. DNSSEC adoption has been slow, but progress is being made. Administrators should check with their service providers to make sure their digital signatures are valid and test deployments regularly.
While blocking DNS traffic from certain domains is certainly an option, it's not one most organizations would be comfortable with as it could block legitimate users and queries. Neustar recommends DNS providers not respond to
ANY requests at all. Other filtering systems to detect abuse -- such as looking for patterns of high activity from specific domains -- should also be in place.
Fixing DNSSEC won't end these types of attacks, as there are plenty of other protocols that can be used in amplification and reflection attacks, but it can cut down on the current batch. As long as there are systems generating traffic with spoofed IP addresses and networks allowing such traffic, reflection-amplification DDoS attacks will continue.
Efforts to dismantle botnets, and prevent systems from joining botnets in the first place, will put a dent in the number of DDoS attacks. In addition, administrators should make sure they have anti-DDoS mechanisms in place, such as preventing source IP spoofing in a network, closing an open resolver, and rate limiting.