Recent research from Neustar found that cyber attackers can abuse improperly configured DNSSEC (Domain Name System Security Extensions) domains to launch distributed denial-of-service (DDoS) attacks. Neustar correctly pointed out the additional amplification factor related to misconfigured DNSSEC vs. legacy DNS, where the inclusion of the digital signature allows for a somewhat higher than a normal DNS amplification attack. This is almost identical to straight DNS amplification – the only difference is that because there is a digital signature appended, resulting in larger response packets, which increases the amplification effect.
Configure Your Networks Properly
However, the point that must be stressed related to this or any other DDoS amplification vectors is that operators of any network – whether they include DNS service or not – should have their networks configured not to respond to spoofed IP requests. In addition, DNS operators should configure their DNS servers not to respond to ‘ANY’ requests in order to squelch the opportunity for the server to be leveraged for malicious use.
The impact to the receiving end of the attack can be especially problematic. The fragmented and amplified attack technique, utilizing DNS or DNSSEC, can cause outages, downtime and potential security implications for Internet Service Providers if they are relying on out-of-band DDoS protection mechanisms. Furthermore, organizations relying on traditional IT and security infrastructure, such as firewalls and load balancing equipment, are no match for these attacks. A comprehensive and automatic in-line network threat protection solution is the recommended approach for dealing with all types of DDoS attacks – DNS and beyond.
Regarding the spoofed address issue, there is a Best Common Practice –BCP38 – published in the Internet Engineering Task Force (IETF) that operators should take more seriously. The abstract section of BCP38 summarizes the approach:
"Recent occurrences of various Denial of Service (DoS) attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point.”
If you are not following BCP38 in your environment, you should be. If everyone followed this simple best practice, reflection and amplification DDoS attacks would be drastically reduced, benefiting everyone except the attackers.
For more information, contact us.