Neustar Research: DNSSEC Reflection Severe DDoS Risk
Neustar , Inc. (NYSE: NSR), a trusted, neutral provider of real-time information services, today published “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us a research report that details how Domain Name System Security Extensions (DNSSEC) can be subverted as an amplifier in Distributed-Denial-of-Service (DDoS) attacks. Neustar determined that on average, DNSSEC reflection can transform an 80-byte query into a 2,313-byte response, an amplification factor of nearly 30 times, which can easily cause a network service outage during a DDoS attack, resulting in lost revenue and data breaches.
“DNSSEC emerged as a tool to combat DNS hijacking, but unfortunately, hackers have realized that the complexity of these signatures makes them ideal for overwhelming networks in a DDoS attack,” said Joe Loveless, Director Product Marketing, Security Services, Neustar. “If DNSSEC is not properly secured, it can be exploited, weaponized and ultimately used to create massive DDoS attacks.”
DNSSEC was designed to provide integrity and authentication to DNS, which it accomplishes with complex digital signatures and key exchanges. As a result, when a DNS record is transferred to DNSSEC, an extraordinary amount of additional information is created. Additionally, when issuing the DNS command, “ANY,” the amplified response from DNSSEC is exponentially larger than a normal DNS reply.
Key findings and recommendations from “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us” include:
- DNSSEC Vulnerabilities Are Prolific – Neustar examined one industry with 1,349 domains and determined 1,084 of them (80 percent) could be maliciously repurposed as a DDoS attack amplifier (they were signed with DNSSEC and responded to the “ANY” command).
- The Average DNSSEC Amplification Factor is 28.9 – Neustar tested DNSSEC vulnerabilities with an 80-byte query, which returned an average response of 2,313-bytes. The largest amplification response was 17,377-bytes, 217 times greater than the 80-byte query.
- The Anatomy of a DNSSEC Reflection Attack – Neustar illustrates the command and control servers required to run the botnets and scripts that target DNS name servers to execute DNSSEC amplification attacks.
- Best Practices for Mitigation –For organizations that rely on DNSSEC, Neustar recommends ensuring that your DNS provider does not respond to “ANY” queries or has a mechanism in place to identify and prevent misuse.
“Neustar is focused on using connected sciences to connect people, places and things, which is why network security is so imperative,” said Loveless. “As more organizations adopt DNSSEC, it is critically important to understand how to secure it. The time to fix it is now.”
For more information about “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us” please visit https://hello.neustar.biz/201608---Security-Services---Trade-Show---Black-Hat_DNSSEC-LP.html .
Every day, the world generates roughly 2.5 quadrillion bits of data. Neustar (NYSE: NSR) isolates certain elements and analyzes, simplifies and edits them to make precise and valuable decisions that drive results. As one of the few companies capable of knowing with certainty who is on the other end of every interaction, we’re trusted by the world’s great brands to make critical decisions some 20 billion times a day. We help marketers send timely and relevant messages to the right people. Because we can authoritatively tell a client exactly who is calling or connecting with them, we make critical real-time responses possible. And the same comprehensive information that enables our clients to direct and manage orders also stops attackers. We know when someone isn’t who they claim to be, which helps stop fraud and denial of service before they’re a problem. Because we’re also an experienced manager of some of the world’s most complex databases, we help clients control their online identity, registering and protecting their domain name, and routing traffic to the correct network address. By linking the most essential information with the people who depend on it, we provide more than 12,000 clients worldwide with decisions—not just data. More information is available at http://www.neustar.biz
Information om Business Wire
101 California Street, 20th Floor
CA 94111 San Francisco
Følg pressemeddelelser fra Business Wire
Skriv dig op her og modtag pressemeddelelser på mail. Indtast din mail, klik på abonner og følg instruktionerne i den udsendte mail.
Flere pressemeddelelser fra Business Wire
PIERRE-FABRE23.6.2018 13:02 | pressemeddelelse
Pierre Fabre & Array BioPharma Announce a 62% Observed OS at One Year from the Phase 3 BEACON CRC Safety Lead-In of the Combination of Encorafenib, Binimetinib and Cetuximab in BRAF-Mutant CRC at the ESMO GI Congress
SERVIER23.6.2018 10:12 | pressemeddelelse
Compelling Data for LONSURF® (trifluridine/tipiracil) in Metastatic Colorectal Cancer Presented at ESMO’s World Congress on Gastrointestinal Cancer by Servier and Taiho
SOFTOMOTIVE22.6.2018 17:15 | pressemeddelelse
Softomotive and Accelerate RPA Partner to Help Enterprises Achieve Faster Time to Value from RPA
TX-ASCEND-PERFORMANCE22.6.2018 16:02 | pressemeddelelse
Ascend Performance Materials Announces Price Increase for Intermediate Materials
DELTICOM-AG/MOTO-TYRES.C22.6.2018 15:43 | pressemeddelelse
Different Countries, Different Customs: Get Ready for the Motorbike Holidays with Moto-tyres.co.uk
BOEHRINGER-INGELHEIM22.6.2018 14:02 | pressemeddelelse
Boehringer Ingelheim bolsters biologics research and development with 230 million euro investment in new development center
I vores nyhedsrum kan du læse alle vores pressemeddelelser, tilgå materiale i form af billeder og dokumenter, og finde vores kontaktoplysninger.Besøg vores nyhedsrum