Attackers launch multi-vector DDoS attacks that use DNSSEC amplification

Researchers from Akamai observed multiple attacks abusing DNSSEC-enabled domains for DDoS amplification

DDoS attacks are becoming increasingly sophisticated, combining multiple attack techniques that require different mitigation strategies, and abusing new protocols.

Incident responders from Akamai recently helped mitigate a DDoS attack against an unnamed European media organization that peaked at 363G bps (bits per second) and 57 million packets per second.

While the size itself was impressive and way above what a single organization could fight off on its own, the attack also stood out because it combined six different techniques, or vectors: DNS reflection, SYN flood, UDP fragment, PUSH flood, TCP flood, and UDP flood.

Almost 60 percent of all DDoS attacks observed during the first quarter of this year were multi-vector attacks, Akamai said in a report released last month. The majority of them used two vectors, and only 2 percent used five or more techniques.

The DNS (Domain Name System) reflection technique used in this large attack was also interesting, because attackers abused DNSSEC-enabled domains in order to generate larger responses.

DNS reflection involves abusing misconfigured DNS resolvers that respond to spoofed requests. Attackers can send DNS queries to these servers on the Internet by specifying the target's Internet Protocol (IP) address as the request's source address. This causes the server to direct its response to the victim instead of the real source of the DNS query.

This reflection is valuable for attackers because it hides the real source of the malicious traffic and because it can have an amplification effect: the responses sent to the victim by DNS servers are larger in size than the queries that triggered them, allowing attackers to generate more traffic than they could otherwise.

The use of queries for domain names configured for Domain Name System Security Extension (DNSSEC) only adds to the amplification factor, as DNSSEC responses are even larger than regular ones. That's because they have additional data used for the cryptographic verification.

DNSSEC allows clients to authenticate the source of DNS data as well as the data's integrity, ensuring that DNS responses haven't been altered en route and were provided by the authoritative servers for the queried domain names.

"During the past few quarters, Akamai has observed and mitigated many DNS reflection and amplification DDoS attacks that abuse DNSSEC-configured domains," the Akamai researchers said in an advisory released Tuesday.

The company has observed the same DNSSEC-configured domain name being abused in DDoS amplification attacks against targets in different industries.

A separate Akamai advisory released Tuesday describes several DDoS campaigns this year against the network of the Massachusetts Institute of Technology. One of those attacks occurred in April and used DNS reflection by triggering responses for cpsc.gov and isc.org, two DNSSEC-enabled domain names.

"The domain owners themselves are not at fault and don't feel the effects of these attacks," the Akamai researchers said. "Attackers abuse open resolvers by sending a barrage of spoofed DNS queries where the IP source is set to be the MIT target IP. Most of these servers will cache the initial response so multiple queries are not made to the authoritative name servers."

Unfortunately, DNS is not the only protocol that can be used for DDoS amplification. The NTP, CHARGEN and SSDP protocols are also commonly used in such attacks and, unfortunately, as long as misconfigured servers and devices are available on the Internet, this technique will continue to be favored by attackers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?