Misconfigured security measure leads DDoS amplification attacks to soar at end of 2017

Posted By



March 13, 2018

DDoS attacks using domain name server (DNS) amplification increased more than 357 percent in the fourth quarter of 2017 compared to the previous year.

A new report by protection specialist Nexusguard attributes the rise to the use of Domain Name System Security Extensions (DNSSEC), a technology that's intended to add integrity and security to the DNS protocol.

If not correctly configured, however, DNSSEC-enabled servers can be deliberately targeted to reflect amplification attacks, due to the large size of the responses they generate.

While the overall number of DDoS attacks has fallen 12 percent compared to the same period last year, a new class of powerful botnets is set to exploit wider DNSSEC adoption. Nexusguard warns teams to evaluate the DNSSEC response and security flaw to strengthen systems against future attacks.

"Enterprises have worked hard to patch against snooping, hijacking and other DNS abuses; however, improperly configured DNSSEC-enabled name servers may be a new plague for unprepared teams," says Juniman Kasman, chief technology officer for Nexusguard. "Admins and IT teams need to check security for the entire network, as well as correctly configure DNSSEC on the domain to properly harden servers against these new attacks."

The report also finds that hackers continue to favor multi-vector attacks, blending combinations of network time protocol (NTP), universal datagram protocol (UDP), DNS and other popular attack vectors. This tactic has been seen in more than half of all botnets over the past year.

China and the US continue as the top two sources of DDoS attacks in Q4, contributing 21.8 percent and 14.3 percent of the botnets, respectively. South Korea climbed to third place, contributing nearly six percent of the global attacks, up from sixth place last quarter.