Story image

The next major DDoS battleground: DNSSEC a 'significant new risk'

21 Mar 18

Distributed Denial of Service (DDoS) attacks using amplification to increase severity grew 110% in the fourth quarter of 2017 compared to the same quarter in 2016.

Nexusguard’s Q4 2017 Threat Report says that Domain Name System Security Extensions (DNSSEC) are to blame for the massive increase.

Although DNSSEC tools are designed to add integrity and security to the DNS protocol, they can be a ‘significant new risk’ if they are not properly configured.

DNSSEC-enabled servers can be specific targets in order to reflect amplification attacks because of the large response sizes they generate.

Nexusguard explains how a DNSSEC attack works:

“The extra security DNSSEC provided relies on resource-intensive data verification using public keys and digital signatures. Consequently, the size of DNS response packets becomes significantly larger than the original queries, which drastically increases the computational load on DNS servers as well as query response times.”

“The extra workload translates into an “amplification factor” that attackers leverage to generate DNS amplification attacks. To measure the potential amplitude of an amplification factor, we sent queries with a packet size of 81 bytes to activum.nu. The nameserver responded at 6,156 bytes, approximately 76 times the packet size of the original queries.”

The overall number of DDoS attacks dropped 12%, however Nexusguard warns that DNSSEC attacks may spawn a new class of powerful botnets.

"Enterprises have worked hard to patch against snooping, hijacking and other DNS abuses; however, improperly configured DNSSEC-enabled nameservers may be a new plague for unprepared teams," comments Nexusguard chief technology officer Juniman Kasman.

"Admins and IT teams need to check security for the entire network, as well as correctly configure DNSSEC on the domain to properly harden servers against these new attacks."

Attackers are also using multi-vector attacks that include a mix of network time protocol (NTP), universal datagram protocol (UDP), DNS and other vectors.

DNS amplification, UDP, and IP fragmentation contributed for the top three attack vectors in the quarter, with 16.10%, 15.31%, and 12.18% respectively.

The report says that more than 56% of attacks exploit multi-vector combinations.

The report also found that China and the United States continue to reign as the two top DDoS attack source countries in Q4. China accounted for 21.8% of all attacks. South Korea climbed to third place and accounted for almost 6% of global attacks.

In APAC, the top 10 DDoS attack source countries include China; South Korea; Vietnam; India; Thailand; Indonesia; Taiwan; Hong Kong; Nepal; and Singapore.

Globally, 49.3% of attacks ranged between 1Gbps and 10Gbps. 20.8% of attacks were more than 10Gbps. The largest attack in Q4 measured 231.32Gbps.

69% of global attacks lasted fewer than 90 minutes. These attacks occurred during peak operation hours, resulting in service downtime for affected businesses. The longest attack went for 1200 minutes.

JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."
Report finds GCSB in compliance with NZ rights
The Inspector-General has given the GCSB its compliance tick of approval for the fourth year in a row.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
WatchGuard appoints new channel distributors in A/NZ
The appointments will enable WatchGuard to expand its regional channel reseller footprint.