- Nov 30, 2012
- 22,840
- 617
- 121
http://www.infoworld.com/article/31...d-dnssec-servers-at-root-of-ddos-attacks.html
"DNSSEC emerged as a tool to combat DNS hijacking, but unfortunately, hackers have realized that the complexity of these signatures makes them ideal for overwhelming networks in a DDoS attack," said Neustar's Joe Loveless. "If DNSSEC is not properly secured, it can be exploited, weaponized, and ultimately used to create massive DDoS attacks
In a study of more than 1,300 DNSSEC-protected domains, 80 percent could be used in such an attack, Neustar found.
The attacks rely on the fact that the size of the ANY response from a DNSSEC-signed domain is significantly larger than the ANY response from a non-DNSSEC domain because of the accompanying digital signature and key exchange information. The ANY request is larger than a normal server request because it asks the server to provide all information about a domain, including the mail server MX records and IP addresses.