It won’t be news to readers of this blog that Distributed Denial Of Service attacks are a growing problem. This July, a European media company was the victim of an attack that peaked at 363 Gbps. The volume of the attack is par-for-the-course these days, but it is interesting to note that the attackers used several vectors to amplify the attack, including DNSSEC.
For those who aren’t familiar, here’s how a typical reflected amplified DDoS attack works. Even the most well-equipped of attackers don’t have access to the amount of bandwidth we commonly see deployed in DDoS attacks. To achieve such huge volumes of data, they need to amplify their bandwidth. There are many ways to do this, but a typical approach is to use open DNS servers.
An open DNS server takes DNS requests and issues responses to them. DNS requests are small. DNS responses are often much larger than the initial request. For a standard request/response, the ratio is around 1:12. For every one byte the attacker sends the DNS server, it responds with 12 bytes. You can see how this is a useful behavior for attackers — they gain an immediate multiplication of their available bandwidth.
But an attacker doesn’t want to flood themselves with DNS responses, which is what would happen if the response was sent to the requester. So, when the attacker sends the request, they spoof the origin point — something that’s easy to do — so that responses are sent to the victim. A sufficient quantity of tiny DNS requests, amplified by the DNS servers, and sent to the victim, is enough to knock all but the largest network interfaces offline.
DNS — like email — was never designed to be secure. It was created when the internet was young, and everyone who used it could trust everyone else. Needless to say, it’s not like that now. DNSSEC is an attempt to retrofit DNS with security features while maintaining compatibility. DNSSEC-equipped DNS servers use public-key cryptography to digitally sign DNS responses, ensuring that the data received by the requester is the same as the data that was served.
You may be able to see the problem here. DNS responses from DNSSEC-protected domains are much larger than standard replies because they include extra data used to cryptographically verify their content. That’s a gift for attackers, and is why we’re seeing so many more attacks that throw DNSSEC amplification into the mix.
The whole issue is a reminder that the internet is, in some respects, a fragile system. We’re still dealing with a technological legacy from decades ago, and “solutions” like DNSSEC don’t really hold the answer.