DNSSEC stands for Domain Name System Security Extensions, the intention of which is to protect DNS entries from attacks. DNS Security has been a focus of recent ‘improved’ security procedures, and if properly configured, adds a helpful layer of security to the DNS protocol through requiring origin authentication and integrity.
However, if DNSSEC is not properly configured, it can actually pose a significant risk of being weaponized to launch volumetric attacks. The additional security DNSSEC necessitates relies on resource-intensive data verification making use of public keys and digital signatures. As a result, the size of DNS response packets becomes markedly bigger than the original queries, which dramatically increases the computational load on DNS servers and increases query response times.
The additional workload also translates into an “amplification factor”, which attackers can exploit to generate DNS amplification attacks. As the size of the response is much larger than the request, an attacker can increase the amount of traffic aimed at the victim and over-exhaust their resources more quickly.
DNSSEC involves complex implementation and negligence or a lack of security awareness on the part of admins can lead to poor configuration and leave DNSSEC-enabled nameservers vulnerable to exploitation.
A DNS amplification attack happens when UDP packets with fake target IP addresses are sent to a publicly accessible DNS server. Each UDP packet makes a separate request to the DNS resolver, typically sending an “ANY” request intending to receive a large number of responses. DNS resolvers with the intention of performing their function then send a large response to the target’s fake IP address, not knowing that the IP address has been spoofed. The target then receives a huge number of responses from its surrounding network infrastructure, leading to a DDoS attack. The attacker can take advantage of this tactic to amplify attacks from a very small initial request. The maximum amplification factor is 54.
In Nexusguard’s Q4 2017 security report, the cybersecurity company found that while overall DDoS attacks had gone down by 12% year over year in 2017, DNS amplification attacks had risen by an astounding 358% over the same period. They found that the top 3 attack vectors for Q4 2017 were DNS amplification attacks at number one, UDP attacks at number two and IP fragmentation attacks at number three. The huge spike in DNS amplification attacks is ironically thought to be the result of abuse of DNSSEC security weaknesses. It is essential to implement basic server hardening by properly configuring DNSSEC on the domain in order to protect the entire network’s security.