Researchers said a new defense system is fueling a wave of DNS amplification attacks

Posted By



September 17, 2019

Researchers from cybersecurity firm Nexusguard said they saw a 1000% increase in DNS amplification attacks in the last three months.

In their "Q2 2019 Threat Report", Nexusguard analysts Tony Miu, Ricky Yeung and Dominic Li attributed the huge spike in attacks to the widespread adoption of Domain Name System Security Extensions (DNSSEC).

The US Office of Management and Budget recently released a mandate requiring government domains to deploy DNSSEC as a protection against forged or manipulated DNS data.

"Although the adoption of DNSSEC is gaining wider acceptance as the patch for fixing DNS cache poisoning, it is now causing a new set of problems for organizations and service providers," said Juniman Kasman, chief technology officer for Nexusguard.
"Due to the long responses they generate, attackers often abuse DNSSEC to launch amplification attacks that clog victim networks and hosts, which will remain a significant threat in the future," Kasman said.
Nexusguard evaluates thousands of attacks worldwide each year and DNS amplification attacks represented more than 65% during the last quarter.

Multiple US government domains and even PayPal were attacked in the last three months. The honeypot network, which is designed to bait cybercriminals into a hacking attempt, captured 144,465,553 malicious DNS queries.

DNS amplification attacks are difficult to deal with because all users rely on DNS services to access the internet. Dropping all DNS associated attack traffic would disrupt workflow and keep paying customers from accessing the internet.

Blocking all incoming DNS response traffic means that legitimate attempts will be denied and will also keep people off of the internet.

"Nexusguard researchers warn that service providers must ensure their attack mitigation technology is advanced enough to ensure server availability to legitimate end users, to ensure their access doesn't become collateral damage," the report said.

The security company uses data from botnet scanning, honeypots, CSPs and traffic moving between attackers and their targets to help enterprises locate vulnerabilities and stay educated about global cybersecurity trends.

Nexusguard's report also found that "bit and piece" attacks—which are designed to target ASN networks—were on the rise across Europe, North America and Africa.

Nearly 50% of all the attacks surveyed came from Windows devices while iOS-powered mobile devices accounted for about 20%.

The average attack this quarter lasted more than three hours and the longest one lasted 28 days.

More than 35% of all the attacks originated from either the US or China, with Vietnam and Russia coming in third and fourth.

The report actually praised the widespread adoption of DNSSEC, calling it "long overdue." But hackers are resourceful and have adapted quickly by using the system's strengths against it.

"DNSSEC fixes one problem, but creates another," the report concluded.

"When a domain is upgraded to support DNSSEC, it returns traditional records as well as DNS records. As a result, the sizes of DNSSEC-enabled DNS responses significantly exceed those of traditional responses. Such responses are often abused by attackers to launch amplification attacks that clog victim networks and hosts," according to the report.

Unfortunately, the study said they expected these kinds of attacks to grow in number because more enterprises were adopting DNSSEC as a mode of protection.

Companies and governments without more advanced kinds of systems were leaving themselves vulnerable to sophisticated attacks.

"We believe that telcos and DNS providers are inevitably affected the most as they are both vital to public internet access," according to the report. "If history is any guide, the tactics to abuse DNS server vulnerabilities will continue to evolve, suggesting that advanced DNS protection ought to be always in place."