Skip to Main Content

DNSSEC Reflection Presents Severe DDoS Risk

Posted on 8.18.2016

Neustar has released a research report detailing how the Domain Name System Security Extensions (DNSSEC) can be subverted as an amplifier in Distributed-Denial-of-Service (DDoS) attacks.

 SUBSCRIBE to Website Magazine & Accelerate 'Net Success

The report revealed that on average, DNSSEC reflection can transform an 80-byte query into a 2,313-bute response, which results in an amplification factor of nearly 30 times. That can cause a network service outage during a DDoS attack.

“DNSSEC emerged as a tool to combat DNS hijacking, but unfortunately, hackers have realized that the complexity of these signatures makes them ideal for overwhelming networks in a DDoS attack,” said Joe Loveless, Director Product Marketing, Security Services, Neustar. “If DNSSEC is not properly secured, it can be exploited, weaponized and ultimately used to create massive DDoS attacks.”

Today's Top Picks for Our Readers:
Recommended by Recommended by NetLine

Leave Your Comment

Login to Comment

Become a Member

Not already a part of our community?
Sign up to participate in the discussion. It's free and quick.

Sign Up


Leave a comment
    Load more comments
    New code

    The Ultimate Guide to Personalization