1,000 percent increase in DNS amplification attacks since 2018

Posted By



September 17, 2019

The second quarter of 2019 saw a major swelling of DNS amplification attacks reaching a whopping 1,000 percent spike.
The report titled “Nexusguard’s Q2 2019 Threat Report” points out that increasing adoption of Domain Name System Security Extensions (DNSSEC) highlights the massive surge in DNS amplification attacks. The report also highlighted how several government domains and even, became victims of DNS abuses.

To delve deeper into this, CISO MAG had an exclusive interview with Tony Miu, research manager at Nexusguard. Tony comes in with more than 12 years of experience in cybersecurity, including nine years’ experience in network security and DDoS mitigation technology. As a battle-hardened veteran in the DDoS battlefield, he has garnered invaluable experiences and secrets of the trade, making him a distinguished thought leader in DDoS mitigation technologies. At Nexusguard, Tony leads the “Red Team” to find and fix vulnerabilities of the defense system from the attacker’s perspective and contributes to system and feature upgrades. As a dedicated researcher, he keeps an eye on the DDoS landscape focused on the researching of attack methods, patterns and defense techniques.

The revelation highlighted an alarming trend. Within a year there has been a massive surge. Did the report come as a shock to you that DNS amplification attacks are up by 1,000%?

Since Q1 2018, we have observed the tendency of attackers to use new, more advanced and stealthy methods to generate amplification attacks on their victims. In doing so, they have been constantly on the lookout for new methods that allow them to boost attack firepower at the highest amplification efficiency possible by taking advantage of, or exploiting vulnerable, ill-designed, badly configured or unsecured network devices or resources. As a result of this trend, amplification attacks skyrocketed 660.92% year on year in Q1 2019. Indeed, their pursuit of more cost-effective, stealthy and potent attack methods never ends. Now taking advantage of the additional response packet size generated by DNSSEC-enabled servers to reflect amplified attack is their latest favorite, which has proved to be successful as the DNSSEC implementation finally takes off.

DNSSEC has been around since 2010 but were not widely deployed in the first few years. Back to as early as 2013, we were aware of the potential of DNSSEC-enabled DNS servers being abused to launch DDoS attacks, in particular, reflection/amplification attacks, owing to the fact that DNS responses for a DNSSEC-signed domain are much larger than those for an unsigned domain. Due to the addition of a few new record types to DNS servers implemented with DNSSEC, the extra response size is large enough to contribute to attack traffic. So, this comes as no surprise to us at all that DNSSEC-aided DDoS attacks are now on the rise. It is just a matter of time for the wider industry to acknowledge it.

Over the years DNSSEC has been gaining acceptance as the patch, it is now causing a new set of problems for organizations. How is the cybersecurity industry responding to this?

DNSSEC provides a solution to DNS cache poisoning, which could spell big trouble for website owners by making their domains completely inaccessible and/or redirecting innocent visitors to malicious phishing sites. Therefore, it is understandable and necessary for ICANN and regulatory bodies to call for full deployment of DNSSEC across all unsecured domain names.

According to our Q2 findings, multiple government websites and fell victim to rampant abuses. We then found out that many of these domains had actually deployed DNSSEC to the top-level .gov domain as required by the US government’s OMB mandate. So it leads us to believe that their DNSSEC implementation was one of the major causes of the sharp rise in DNS amplification attacks in the quarter. Now that with less than 20 percent of the world’s DNS registrars having deployed it, according to the Regional Internet address Registry for the Asia-Pacific region (APNIC), the continued implementation of DNSSEC will cause DNS amplification attack activities to continue to grow exponentially.

The abuse of DNSSEC-enabled servers once again demonstrates attackers’ pursuit of more stealthy, resource-effective tactics. Against this background, service providers and enterprises MUST prepare their networks for the continued rise of DNS amplification attacks. The effectiveness of DNS amplification attack mitigation hinges on whether the bandwidth capacity is large enough. However, as DNS amplification attacks continue to increase and as more DNS servers are likely to be abused to amplify malicious traffic, the asymmetry between attackers and defenders will only widen as time goes by.

One traditional mitigation method used by the industry is to drop abnormal DNS requests originating from the most frequently abused domains, such as 1×,, etc. In doing so, the number of requests to the same domains or source IPs also has to be limited. Another commonly used method is to block all “ANY” queries outright. But given the growing DNS security risk, which even exposes government networks to abuses, the old way of protecting the DNS used by the industry is no longer sufficient. Attackers can evade these simple protections by sending small requests to a large number of different domains. The industry must, therefore, ensure that advanced protection is in place to safeguard their DNS servers.

There has been a lot of talks about the need for DNSSEC. The abuse of DNS was not something that was anticipated. Is the cybersecurity industry even aware of such a problem?

Over the past few years, a dozen other security vendors/researchers have also published reports/papers to shed light on the potential DDoS problem caused by the increased response size due to the longer records generated by DNSSEC-enabled servers. But the sharp rise in DNS amplification attacks in Q2 2019 and their causal relation with the implementation of DNSSEC by a number of government domains is largely unnoticed at the time of our report.

For perpetrators, the cost of launching DNS amplification attacks is and will remain low as long as they keep using the simple “ANY” query. Whereas in the past they needed to identify domains with DNS records that are long enough so that they could leverage the amplification power to boost firepower. Now as the implementation of DNSSEC is gaining momentum, more domains are equipped with an unintended capability that can be exploited to amplify malicious traffic by 36-72 times, making them an ideal launchpad to generate powerful attacks.

In the case of Memcached attacks (which we also reported in March 2018), attackers abused the publicly accessible Memcached servers (which however were supposed to be closed to the public) deployed by thousands of organizations ranging from universities and government agencies to leading ISPs, hosting providers and domain registrars. Our discovery of the piecemeal method used to carry out the “bit-and-piece” attack on ASN-level networks also suggests that attack methods have been evolving and remain so in the years to come.

How can a CISO or the head of security/technology respond to attacks like this considering the fact that a major part of DDoS attack occurs from mobile devices? How does he/she safeguard employees?

Mobile devices are not directly relevant to the rise of DNSSEC-aided amplification attacks. But the rise of mobile botnets DOES deserve the industry’s attention. Botnets have traditionally sought to compromise desktop computers, but our findings confirm the continued shift to mobile devices, creating a new breed of botnets.

According to our findings in Q2 2019, application attacks were more prevalent than network attacks. After tracing the source IPs of some of the application attacks, we found that most source IPs originate from mobile gateways. In other words, mobile devices were responsible for most of the application attacks captured in the past three months.

By OS, about 4.3 percent of the application attacks originated from Android devices, while about 20 percent came from IOS devices. Other platforms such as BlackBerry contributed to an insignificant share. Of course, we are not talking about how insecure mobile devices are, because we believe a lack of security awareness among end-users is the greatest inhibitor to defending against DDoS threats.

Smartphones and connected devices have already become an inevitable part of our fast-paced lives, but they also come with security vulnerabilities. From our observation, IoT botnets have been advanced to mount more complex, destructive DDoS attacks since December 2018. The upcoming 5G will further increase their firepower. As we move forward in the 5G era, make sure your system is thoroughly protected from DDoS threats so that mission-critical services are always available. Employees, as with all smartphone users, are advised to keep their OS up-to-date at all times, set secure passcodes, vet apps before installing them, etc.

For DNS owners, in particular, protecting their servers from being abused to reflect attack traffic is an integral part of their DDoS mitigation strategy. Because attack sources can easily be traced back to the owner’s hosting DNS server, the organization’s reputation is severely undermined if it is found that it is behind DDoS attacks unknowingly or due to negligence. As said, DDoS attack methods will always evolve, the DNS as an organization’s critical network service requires dynamic protection that adapts to actual requirements and evolving threats. Log reviews, security checks, auditing, as well as security posture, infrastructure and governance reviews, for example, must also be included as part of one’s security measures.