Story image

The next major DDoS battleground: DNSSEC a 'significant new risk'

21 Mar 18

Distributed Denial of Service (DDoS) attacks using amplification to increase severity grew 110% in the fourth quarter of 2017 compared to the same quarter in 2016.

Nexusguard’s Q4 2017 Threat Report says that Domain Name System Security Extensions (DNSSEC) are to blame for the massive increase.

Although DNSSEC tools are designed to add integrity and security to the DNS protocol, they can be a ‘significant new risk’ if they are not properly configured.

DNSSEC-enabled servers can be specific targets in order to reflect amplification attacks because of the large response sizes they generate.

Nexusguard explains how a DNSSEC attack works:

“The extra security DNSSEC provided relies on resource-intensive data verification using public keys and digital signatures. Consequently, the size of DNS response packets becomes significantly larger than the original queries, which drastically increases the computational load on DNS servers as well as query response times.”

“The extra workload translates into an “amplification factor” that attackers leverage to generate DNS amplification attacks. To measure the potential amplitude of an amplification factor, we sent queries with a packet size of 81 bytes to activum.nu. The nameserver responded at 6,156 bytes, approximately 76 times the packet size of the original queries.”

The overall number of DDoS attacks dropped 12%, however Nexusguard warns that DNSSEC attacks may spawn a new class of powerful botnets.

"Enterprises have worked hard to patch against snooping, hijacking and other DNS abuses; however, improperly configured DNSSEC-enabled nameservers may be a new plague for unprepared teams," comments Nexusguard chief technology officer Juniman Kasman.

"Admins and IT teams need to check security for the entire network, as well as correctly configure DNSSEC on the domain to properly harden servers against these new attacks."

Attackers are also using multi-vector attacks that include a mix of network time protocol (NTP), universal datagram protocol (UDP), DNS and other vectors.

DNS amplification, UDP, and IP fragmentation contributed for the top three attack vectors in the quarter, with 16.10%, 15.31%, and 12.18% respectively.

The report says that more than 56% of attacks exploit multi-vector combinations.

The report also found that China and the United States continue to reign as the two top DDoS attack source countries in Q4. China accounted for 21.8% of all attacks. South Korea climbed to third place and accounted for almost 6% of global attacks.

In APAC, the top 10 DDoS attack source countries include China; South Korea; Vietnam; India; Thailand; Indonesia; Taiwan; Hong Kong; Nepal; and Singapore.

Globally, 49.3% of attacks ranged between 1Gbps and 10Gbps. 20.8% of attacks were more than 10Gbps. The largest attack in Q4 measured 231.32Gbps.

69% of global attacks lasted fewer than 90 minutes. These attacks occurred during peak operation hours, resulting in service downtime for affected businesses. The longest attack went for 1200 minutes.

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.