The next major DDoS battleground: DNSSEC a 'significant new risk'

21 Mar 18

Distributed Denial of Service (DDoS) attacks using amplification to increase severity grew 110% in the fourth quarter of 2017 compared to the same quarter in 2016.

Nexusguard’s Q4 2017 Threat Report says that Domain Name System Security Extensions (DNSSEC) are to blame for the massive increase.

Although DNSSEC tools are designed to add integrity and security to the DNS protocol, they can be a ‘significant new risk’ if they are not properly configured.

DNSSEC-enabled servers can be specific targets in order to reflect amplification attacks because of the large response sizes they generate.

Nexusguard explains how a DNSSEC attack works:

“The extra security DNSSEC provided relies on resource-intensive data verification using public keys and digital signatures. Consequently, the size of DNS response packets becomes significantly larger than the original queries, which drastically increases the computational load on DNS servers as well as query response times.”

“The extra workload translates into an “amplification factor” that attackers leverage to generate DNS amplification attacks. To measure the potential amplitude of an amplification factor, we sent queries with a packet size of 81 bytes to activum.nu. The nameserver responded at 6,156 bytes, approximately 76 times the packet size of the original queries.”

The overall number of DDoS attacks dropped 12%, however Nexusguard warns that DNSSEC attacks may spawn a new class of powerful botnets.

"Enterprises have worked hard to patch against snooping, hijacking and other DNS abuses; however, improperly configured DNSSEC-enabled nameservers may be a new plague for unprepared teams," comments Nexusguard chief technology officer Juniman Kasman.

"Admins and IT teams need to check security for the entire network, as well as correctly configure DNSSEC on the domain to properly harden servers against these new attacks."

Attackers are also using multi-vector attacks that include a mix of network time protocol (NTP), universal datagram protocol (UDP), DNS and other vectors.

DNS amplification, UDP, and IP fragmentation contributed for the top three attack vectors in the quarter, with 16.10%, 15.31%, and 12.18% respectively.

The report says that more than 56% of attacks exploit multi-vector combinations.

The report also found that China and the United States continue to reign as the two top DDoS attack source countries in Q4. China accounted for 21.8% of all attacks. South Korea climbed to third place and accounted for almost 6% of global attacks.

In APAC, the top 10 DDoS attack source countries include China; South Korea; Vietnam; India; Thailand; Indonesia; Taiwan; Hong Kong; Nepal; and Singapore.

Globally, 49.3% of attacks ranged between 1Gbps and 10Gbps. 20.8% of attacks were more than 10Gbps. The largest attack in Q4 measured 231.32Gbps.

69% of global attacks lasted fewer than 90 minutes. These attacks occurred during peak operation hours, resulting in service downtime for affected businesses. The longest attack went for 1200 minutes.

Share on: LinkedIn Twitter Facebook