September 16, 2019

DNSSEC Fuels New Wave of DNS Amplification

According to Nexusguard Research, DNS amplification attacks (8,382 counts) contributed to the largest share of attack activities in Q2 2019, accounting for 65.95%. During the period, Nexusguard's honeypot network captured 144,465,553 malicious DNS queries. 


Based on attack patterns, the amplification factor of these incidents ranged between 36X-72X. Compared with the maximum amplification power of memcached attacks, the destructive power of these attacks is considerably smaller. Nevertheless, the size is more than enough to inflict DDoS effects on victimized networks.


The observation that multiple government domains (as well as fell victim to rampant abuses is surprising at first sight. Closer scrutiny, however, suggests that many of these domains had actually deployed DNSSEC to the top-level .gov domain as required by the U.S. government’s OMB mandate. There is a strong causal relation between DNSSEC implementation and increased DNS Amplification because, due to the large size of responses they generate, DNSSEC-enabled servers are at risk of being targeted to reflect amplification attacks.


DNSSEC (Domain Name System Security Extensions) was designed to protect applications from using forged or manipulated DNS data, such as that created by DNS cache poisoning. However, as shown in the table below, comparing the amplification factors of the 10 most frequently abused domains before and after DNSSEC adoption, the domain’s DNS server amplification power surged to more than 45.28X (up from 4.53X) after DNSSEC. 



Amp Factor(no DNSSEC)

Amp factor included DNSSEC





















Top 10 domains abused to generate DNS amplification attacks


Clearly, DNSSEC is a very cost-effective resource for attackers seeking to reflect amplification attacks. While intended to be a patch to DNS poisoning, DNSSEC has had the unintended consequence of creating yet another DDoS vulnerability. 


DNS security becomes a growing concern 

The rampant abuses of this DNSSEC vulnerability demonstrate DDoS attackers’ pursuit of more stealthy, resource-effective tactics. Against this background, service providers and enterprises must better prepare their networks for the continued rise of DNS amplification attacks. 


The effectiveness of DNS amplification attack mitigation hinges on whether the bandwidth capacity is large enough. However, as DNS amplification attacks continue to increase and as more DNS servers are likely to be abused to amplify malicious traffic, the asymmetry between attackers and defenders will only widen as time goes by. 


For perpetrators, the cost of launching DNS amplification attacks is and will remain low as long as they keep using the simple “ANY” query. Whereas in the past they needed to identify domains with DNS records that are long enough, so that they could leverage the amplification power to boost firepower. 


Now as the implementation of DNSSEC is gaining momentum, more domains are equipped with an unintended capability that can be exploited to amplify malicious traffic by 36-72 times, making them an ideal launchpad to generate powerful attacks. 


One traditional mitigation method is to drop abnormal DNS requests originating from the most frequently abused domains, such as,, etc. In doing so, the number of requests to the same domains or source IPs also has to be limited. Another commonly used method is to block all “ANY” queries outright. 


But given the growing DNS security risk, which even exposes government networks to rampant abuses, the old way of protecting the DNS is no longer sufficient. Attackers can evade these simple protections by sending small requests to a large number of different domains. Organizations worldwide need advanced protection to safeguard their DNS servers.  

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.