Is DNSSEC causing more problems than it solves?

New paper points to security protocol as vector for DDoS attacks

14 Reg comments Got Tips?

The complex security protocol for the domain name system – DNSSEC – has another black mark against it: it is being used as a way to carry out distributed denial-of-service (DDoS) attacks.

That's according to a security bulletin [PDF] by Akamai that notes it has "observed and successfully mitigated a large number of DNS reflection and amplification DDoS attacks abusing a Domain Name System Security Extension (DNSSEC) configured domain."

Simply put, DNSSEC uses larger-than-normal DNS responses as a way of adding extra security: it is used to verify that the data sent came from a specific source and was not tampered with on the way.

However, that extra size is also ideal for those wishing to carry out distributed denial of service (DDoS) attacks. In the past three months, Akamai says it has seen no less than 400 such attacks using a DNSSEC-signed domain.

Specifically, an attacker sends a corrupted network packet to a certain server that then reflects it back to the victim. Using flaws in DNSSEC, it is possible to use that extra-large response as a way to amplify the number of packets sent – anywhere up to 100 times (though typically far less). That makes it an extremely effective tool in efforts to take servers offline.

The bulletin notes that attackers are sometimes registering their own domains solely to use them in amplification attacks – one example it gives is '' – and it screenshots a tweet from infosec bod Frank Denis highlighting that '' was being used to do the same. Other examples are easily found.

The result of this can be significant: Akamai shares the details of one attack it mitigated against a financial institution in which it saw 45.17 Gigabits per second fired at the company, equating to 5.2 million packets. The biggest target however is the online gaming market.


The introduction and use of DNSSEC has been controversial for over a decade due to its cost and complexity and, most recently, the argument that it could be used by governments to monitor communications.

However, its usage and adoption is steadily growing and in 2014, DNS overseer ICANN determined that all new generic top-level domains would have to use DNSSEC, which means the majority of top-level domains will shortly be using the protocol.

Of course, the protocol has its defenders. Technology manager at the Internet Society and former CTO of RIPE, Andrei Robachevsky, has written a blog post in response to Akamai's bulletin in which he argues that there is "a trade-off between the increased security provided by DNSSEC and increased size of DNS responses that can be leveraged by the attackers."

DNSSEC is being used for the attacks but the "real culprits" are poorly configured systems across the internet that allow for spoofed IP addresses, and "remote applications that will respond to requests coming from compromised hosts."

In other words, it is the age-old struggle to get everyone on a massively distributed network to do a decent job of ensuring their systems are not abused. While DNSSEC works fine for the well-managed parts of the DNS to ensure security, it also makes the poorly managed parts more of a liability.

The solution? Most DNS experts will argue it is not to go backwards in terms of security, but to develop more tools and push for greater education of the risks and the ways to resolve them. ®


Keep Reading

There are DDoS attacks, then there's this 809 million packet-per-second tsunami Akamai says it just caught

Bank on the receiving end of massive 418Gbps traffic barrage

Stuffing nonsense: Persistent cyberpunks are pummelling banks' public APIs, warns Akamai

Security biz clocked 55 million malicious login attempts on a client

Watch your MANRS: Akamai, Amazon, Netflix, Microsoft, Google, and pals join internet routing security effort

Filtering, anti-spoofing, coordination, validation to prevent crooks, spies hijacking victims' connections

DIY with Akamai: What to do when no one sells the servers you need? You build your own

Akamai Edge World If it looks like a hyperscaler, swims like a hyperscaler...

Akamai CEO: Playing games from the cloud? Seems too expensive to be viable right now

Akamai Edge World 'It is something we are interested in … but the economic model hasn’t worked out yet'

Akamai on dragging 'em kicking and streaming to the edge: They might be public cloud giants, but we're, er, vids in

Akamai Edge World CEO Tom Leighton pitches CDNs for enterprise

Dear hackers: If you try to pwn a website for phishing, make sure it's not the personal domain of a senior Akamai security researcher

Exclusive Crooks fail to hijack infosec bloke's site to dress it up as a legit Euro bank login page

Crime doesn't pay? Crime doesn't do secure coding, either: Akamai bug-hunters find hijack hole in bank phishing kit

Exclusive Absolutely criminal behavior – unrestricted file upload, really?

Biting the hand that feeds IT © 1998–2020