If you’ve spent any time at all living on this earth, you know that ‘the road to hell is paved with good intentions’ isn’t so much a pithy saying as it is a fact of life. And so it goes with efforts to make the internet more secure.
When the domain name system (DNS) was found to be vulnerable to hijacking and spoofing, DNSSEC was developed to slam the door on that vulnerability. So then, naturally, attackers found a way to exploit DNSSEC for reflection distributed denial of service (DDoS) attacks. Because when good intentions close a door, they inadvertently open a window.
Table of Contents
The domain name system is made possible with domain name servers, which help the internetwork by acting as translators between humans and machines. When a person types a domain name into their browser – google.com, for instance – a domain name server matches that human-readable name to an IP address such as 220.127.116.11. Using that IP address, your browser takes you to the website you’re attempting to visit. When DNS works as it’s supposed to, that is.
Where it all goes wrong
For the internet to function efficiently, internet-facing computers had to inherently trust that domain name servers were sending them where they were supposed to go. If you typed in facebook.com, your browser would believe you were being taken to facebook.com and that was that.
But as it turned out, that was not that. The fact that computers accepted these addresses without requiring any further credentials was in fact a decades-old vulnerability that was ripe for exploitation and exploited it was in the form of DNS server spoofing.
According to DDoS protection services provider Imperva Incapsula’s spoofing definition, DNS server spoofing is a form of IP spoofing in which attackers modify a trusted DNS server in order to redirect a domain name to a different IP address. So for instance, while a user would see Facebook in their browser’s address bar and would be on a site that looked like Facebook, they would actually be on a website controlled by attackers. As Incapsula points out, this was commonly done to spread viruses.
The solution…and the problem with it
In order to rid the internet protocol of this vulnerability, DNS security extensions were developed. They’re known as DNSSEC. DNSSEC is now the recommended implementation of DNS on modern servers, and it creates a secure DNS by adding digital signatures to existing DNS records in order to ensure authentication and verification.
In order to be enabled, DNSSEC has to be configured by webmasters. Webmasters are people, and people as you may have heard are not perfect, and neither are many DNSSEC configurations. The end result of this is, unfortunately, DDoS attacks.
In order to perpetuate these attacks using DNSSEC, attackers send DNSSEC requests to a DNS server signed with an ANY command. This instructs the server to respond to the queries with all of the DNS info available about that domain. This can be a problem because using another form of IP spoofing, attackers can use a fake sender IP address. The fake address used will be that of the target website, and that’s where the DNS server sends the hefty DNS responses, hitting the target with junk traffic that can pile up on the target’s server and even render it unusable.
This is a reflection DDoS attack as well as amplification because while the initial request to the DNS server was a mere 80 bytes, the response sent to the target by the server is a minimum of 2,313 bytes and can go all the way up to over 17,000 bytes. That gives these reflection DNSSEC-based distributed denial of service attacks an amplification factor ranging from 28.9 to 217.2. A lot of bang for an attacker’s buck, in other words.
Reflection-based DDoS attacks like these are bad enough on their own, but they’re also frequently combined with other attack vectors that can thoroughly thump an unprotected website into the figurative ground.
What website owners need to take away from this
In general, you want to avoid leaving your website’s security in the hands of random ‘other’ people. So if you’re waiting for all of those webmasters to fix their DNSSEC configurations to better control those ANY responses, get comfy because you’re going to be waiting for a good long while.
In order to avoid the devastating downtime and other potential consequences that come with a DDoS attack (software damage, hardware damage, user frustration, theft of confidential data, and cold hard monetary costs, to name a few) you need to be proactive about investing in DDoS protection. This is the only way for you as a website owner to control what a DNS server is going to throw at you. Instead of relying on the good intentions of others, rely on your own fervent belief in Murphy’s Law.