DNSSEC Reflection Presents Severe DDoS Risk
Neustar has released a research report detailing how the Domain Name System Security Extensions (DNSSEC) can be subverted as an amplifier in Distributed-Denial-of-Service (DDoS) attacks.
The report revealed that on average, DNSSEC reflection can transform an 80-byte query into a 2,313-bute response, which results in an amplification factor of nearly 30 times. That can cause a network service outage during a DDoS attack.
“DNSSEC emerged as a tool to combat DNS hijacking, but unfortunately, hackers have realized that the complexity of these signatures makes them ideal for overwhelming networks in a DDoS attack,” said Joe Loveless, Director Product Marketing, Security Services, Neustar. “If DNSSEC is not properly secured, it can be exploited, weaponized and ultimately used to create massive DDoS attacks.”