Is DNSSEC causing more problems than it solves?
New paper points to security protocol as vector for DDoS attacks
The complex security protocol for the domain name system – DNSSEC – has another black mark against it: it is being used as a way to carry out distributed denial-of-service (DDoS) attacks.
That's according to a security bulletin [PDF] by Akamai that notes it has "observed and successfully mitigated a large number of DNS reflection and amplification DDoS attacks abusing a Domain Name System Security Extension (DNSSEC) configured domain."
Simply put, DNSSEC uses larger-than-normal DNS responses as a way of adding extra security: it is used to verify that the data sent came from a specific source and was not tampered with on the way.
However, that extra size is also ideal for those wishing to carry out distributed denial of service (DDoS) attacks. In the past three months, Akamai says it has seen no less than 400 such attacks using a DNSSEC-signed domain.
Specifically, an attacker sends a corrupted network packet to a certain server that then reflects it back to the victim. Using flaws in DNSSEC, it is possible to use that extra-large response as a way to amplify the number of packets sent – anywhere up to 100 times (though typically far less). That makes it an extremely effective tool in efforts to take servers offline.
The bulletin notes that attackers are sometimes registering their own domains solely to use them in amplification attacks – one example it gives is 'hajjamservices.xyz' – and it screenshots a tweet from infosec bod Frank Denis highlighting that 'cpsc.gov' was being used to do the same. Other examples are easily found.
The result of this can be significant: Akamai shares the details of one attack it mitigated against a financial institution in which it saw 45.17 Gigabits per second fired at the company, equating to 5.2 million packets. The biggest target however is the online gaming market.
The introduction and use of DNSSEC has been controversial for over a decade due to its cost and complexity and, most recently, the argument that it could be used by governments to monitor communications.
However, its usage and adoption is steadily growing and in 2014, DNS overseer ICANN determined that all new generic top-level domains would have to use DNSSEC, which means the majority of top-level domains will shortly be using the protocol.
Of course, the protocol has its defenders. Technology manager at the Internet Society and former CTO of RIPE, Andrei Robachevsky, has written a blog post in response to Akamai's bulletin in which he argues that there is "a trade-off between the increased security provided by DNSSEC and increased size of DNS responses that can be leveraged by the attackers."
DNSSEC is being used for the attacks but the "real culprits" are poorly configured systems across the internet that allow for spoofed IP addresses, and "remote applications that will respond to requests coming from compromised hosts."
In other words, it is the age-old struggle to get everyone on a massively distributed network to do a decent job of ensuring their systems are not abused. While DNSSEC works fine for the well-managed parts of the DNS to ensure security, it also makes the poorly managed parts more of a liability.
The solution? Most DNS experts will argue it is not to go backwards in terms of security, but to develop more tools and push for greater education of the risks and the ways to resolve them. ®