Attackers launch multi-vector DDoS attacks that use DNSSEC amplification

Researchers from Akamai observed multiple attacks abusing DNSSEC-enabled domains for DDoS amplification

DDoS attacks are becoming increasingly sophisticated, combining multiple attack techniques that require different mitigation strategies, and abusing new protocols.

Incident responders from Akamai recently helped mitigate a DDoS attack against an unnamed European media organization that peaked at 363G bps (bits per second) and 57 million packets per second.

While the size itself was impressive and way above what a single organization could fight off on its own, the attack also stood out because it combined six different techniques, or vectors: DNS reflection, SYN flood, UDP fragment, PUSH flood, TCP flood, and UDP flood.

Almost 60 percent of all DDoS attacks observed during the first quarter of this year were multi-vector attacks, Akamai said in a report released last month. The majority of them used two vectors, and only 2 percent used five or more techniques.

The DNS (Domain Name System) reflection technique used in this large attack was also interesting, because attackers abused DNSSEC-enabled domains in order to generate larger responses.

DNS reflection involves abusing misconfigured DNS resolvers that respond to spoofed requests. Attackers can send DNS queries to these servers on the Internet by specifying the target's Internet Protocol (IP) address as the request's source address. This causes the server to direct its response to the victim instead of the real source of the DNS query.

This reflection is valuable for attackers because it hides the real source of the malicious traffic and because it can have an amplification effect: the responses sent to the victim by DNS servers are larger in size than the queries that triggered them, allowing attackers to generate more traffic than they could otherwise.

The use of queries for domain names configured for Domain Name System Security Extension (DNSSEC) only adds to the amplification factor, as DNSSEC responses are even larger than regular ones. That's because they have additional data used for the cryptographic verification.

DNSSEC allows clients to authenticate the source of DNS data as well as the data's integrity, ensuring that DNS responses haven't been altered en route and were provided by the authoritative servers for the queried domain names.

"During the past few quarters, Akamai has observed and mitigated many DNS reflection and amplification DDoS attacks that abuse DNSSEC-configured domains," the Akamai researchers said in an advisory released Tuesday.

The company has observed the same DNSSEC-configured domain name being abused in DDoS amplification attacks against targets in different industries.

A separate Akamai advisory released Tuesday describes several DDoS campaigns this year against the network of the Massachusetts Institute of Technology. One of those attacks occurred in April and used DNS reflection by triggering responses for cpsc.gov and isc.org, two DNSSEC-enabled domain names.

"The domain owners themselves are not at fault and don't feel the effects of these attacks," the Akamai researchers said. "Attackers abuse open resolvers by sending a barrage of spoofed DNS queries where the IP source is set to be the MIT target IP. Most of these servers will cache the initial response so multiple queries are not made to the authoritative name servers."

Unfortunately, DNS is not the only protocol that can be used for DDoS amplification. The NTP, CHARGEN and SSDP protocols are also commonly used in such attacks and, unfortunately, as long as misconfigured servers and devices are available on the Internet, this technique will continue to be favored by attackers.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?