DNSSEC is not invincible.
Researchers this week described how a DNSSEC-based flood attack could easily knock a website offline and allow for the insertion of malware or exfiltration of sensitive data.
The intent of Domain Name System Security Extensions, or DNSSEC, is to bolster DNS through a series of complex digital signatures. But if it is not secured properly it can fall victim to cache poisoning and malicious redirection attacks, experts warn.
Researchers at Neustar explained in a paper, “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us” on Tuesday how DNSSEC can be reflected and leveraged by “ANY” queries to carry out DDoS attacks. “ANY” queries are favored by hackers; responses to them are exponentially larger than a normal DNS reply, researchers claim.
“DNSSEC emerged as a tool to combat DNS hijacking, but unfortunately, hackers have realized that the complexity of these signatures makes them ideal for overwhelming networks in a DDoS attack,” Joe Loveless, the Director of Product Marketing, Security Services at Neustar said Tuesday, “If DNSSEC is not properly secured, it can be exploited, weaponized and ultimately used to create massive DDoS attacks.”
As part of an experiment the firm’s researchers carried out in June, it located domains in a high-adoption community and checked for DNSSEC records. The researchers found a staggering 80 percent of the domains it looked at responded to DNS queries looking for nameservers that responded to “ANY” queries, meaning 80 percent of the domains they found could be repurposed as a DDoS amplifier and used maliciously.
80 percent of the domains they found could be repurposed as a DDoS amplifier and used maliciouslyTweet
For a DNSSEC reflection attack, a hacker really just needs a botnet and a target’s IP address. The attacker can get the botnet to run a script using the “ANY” query and trick nameservers into reflecting DNSSEC responses to a target.
On average, the firm’s research found that a DNSSEC reflection attack could have the ability to transform an 80-byte query into a whopping 2,313-byte response – an amplification factor of 30x.
There could be several negatives outcomes, in addition to a DDoS attack, according to the firm.
DNSSEC attacks could divert the attention of an administrator and allow attackers to insert malware or steal information from affected systems. The attacks could also result in lost revenue and cause a company’s DNS bill to skyrocket, assuming the domain owner pays for DNS by the query.
Neustar conducted the research to follow up on statistics it found in April that illustrated a steep rise in DDoS attacks that used DNSSEC to amplify DNS reflection attacks.
The company claims the easiest way to prevent a DNSSEC attack is to simply avoid owning an exploitable DNSSEC signed domain – but that might not be so easy. Adoption around DNSSEC has been slow but use of the technology is mandated across government entities. Neustar claims that in some situations it may pay dividends for companies to make certain their DNS provider doesn’t respond to “ANY” queries, or at least has some sort of defense mechanism installed. Blocking DNS traffic from certain domains is another option – but opens up an entirely different can of worms by sometimes blocking legitimate queries.