DDoS & DNSSEC

[John Connor]

http://www.infoworld.com/article/31...d-dnssec-servers-at-root-of-ddos-attacks.html

"DNSSEC emerged as a tool to combat DNS hijacking, but unfortunately, hackers have realized that the complexity of these signatures makes them ideal for overwhelming networks in a DDoS attack," said Neustar's Joe Loveless. "If DNSSEC is not properly secured, it can be exploited, weaponized, and ultimately used to create massive DDoS attacks

In a study of more than 1,300 DNSSEC-protected domains, 80 percent could be used in such an attack, Neustar found.

The attacks rely on the fact that the size of the ANY response from a DNSSEC-signed domain is significantly larger than the ANY response from a non-DNSSEC domain because of the accompanying digital signature and key exchange information. The ANY request is larger than a normal server request because it asks the server to provide all information about a domain, including the mail server MX records and IP addresses.

 

[TheRyuu]

http://www.infoworld.com/article/31...d-dnssec-servers-at-root-of-ddos-attacks.html

This isn't really anything new. DNSSEC kind of sucks[1]. We've known about its pitfalls for some time now.

[1] http://sockpuppet.org/blog/2015/01/15/against-dnssec/

 

[John Connor]

IDK the author is pretty pessimistic about DNSSEC and seems to think it's hard to deploy. It only took me a minute or two to add DNSSEC with CloudFlare and my DNS provider Namesilo.