Telco Transformation: enable you to deploy and offer DDoS mitigation-as-a-service at a low CapEx and a low OpEx.
Read more
Run Bastions Services on premises for a truly consistent and seamless hybrid experience
Learn more
TAP the lucrative market for DDoS Protection.
Be Our Partner
The Capture The Flag challenge: Get on the top of the scoreboard and win an Pentester Expert Coin !
Enroll now
In 2022, the total number of distributed denial of service (DDoS) attacks worldwide increased by 115.1% over the amount observed in 2021. Learn More
Cybersecurity best practices and DDoS defence strategies
According to Nexusguard Research, DNS amplification attacks (8,382 counts) contributed to the largest share of attack activities in Q2 2019, accounting for 65.95%. During the period, Nexusguard's honeypot network captured 144,465,553 malicious DNS queries.
Based on attack patterns, the amplification factor of these incidents ranged between 36X-72X. Compared with the maximum amplification power of memcached attacks, the destructive power of these attacks is considerably smaller. Nevertheless, the size is more than enough to inflict DDoS effects on victimized networks.
The observation that multiple government domains (as well as paypal.com) fell victim to rampant abuses is surprising at first sight. Closer scrutiny, however, suggests that many of these domains had actually deployed DNSSEC to the top-level .gov domain as required by the U.S. government’s OMB mandate. There is a strong causal relation between DNSSEC implementation and increased DNS Amplification because, due to the large size of responses they generate, DNSSEC-enabled servers are at risk of being targeted to reflect amplification attacks.
DNSSEC (Domain Name System Security Extensions) was designed to protect applications from using forged or manipulated DNS data, such as that created by DNS cache poisoning. However, as shown in the table below, comparing the amplification factors of the 10 most frequently abused domains before and after DNSSEC adoption, the domain’s DNS server amplification power surged to more than 45.28X (up from 4.53X) after DNSSEC.
Domain |
Amp Factor(no DNSSEC) |
Amp factor included DNSSEC |
1x1.cz |
8.192771084 |
72.55421687 |
edu.za |
3.361445783 |
47.96385542 |
aids.gov |
4.530120482 |
45.27710843 |
isc.org |
3.915662651 |
58.89156627 |
eftps.gov |
4.253012048 |
44.37349398 |
mz.gov.pl |
2.289156627 |
48.31325301 |
paypal.com |
3.963855422 |
42.24096386 |
leth.cc |
4.963855422 |
53.5060241 |
dfafacts.gov |
2.530120482 |
36.6746988 |
nel.gov |
2.686746988 |
41.71084337 |
Top 10 domains abused to generate DNS amplification attacks
Clearly, DNSSEC is a very cost-effective resource for attackers seeking to reflect amplification attacks. While intended to be a patch to DNS poisoning, DNSSEC has had the unintended consequence of creating yet another DDoS vulnerability.
The rampant abuses of this DNSSEC vulnerability demonstrate DDoS attackers’ pursuit of more stealthy, resource-effective tactics. Against this background, service providers and enterprises must better prepare their networks for the continued rise of DNS amplification attacks.
The effectiveness of DNS amplification attack mitigation hinges on whether the bandwidth capacity is large enough. However, as DNS amplification attacks continue to increase and as more DNS servers are likely to be abused to amplify malicious traffic, the asymmetry between attackers and defenders will only widen as time goes by.
For perpetrators, the cost of launching DNS amplification attacks is and will remain low as long as they keep using the simple “ANY” query. Whereas in the past they needed to identify domains with DNS records that are long enough, so that they could leverage the amplification power to boost firepower.
Now as the implementation of DNSSEC is gaining momentum, more domains are equipped with an unintended capability that can be exploited to amplify malicious traffic by 36-72 times, making them an ideal launchpad to generate powerful attacks.
One traditional mitigation method is to drop abnormal DNS requests originating from the most frequently abused domains, such as 1x1.cz, cpsc.gov, etc. In doing so, the number of requests to the same domains or source IPs also has to be limited. Another commonly used method is to block all “ANY” queries outright.
But given the growing DNS security risk, which even exposes government networks to rampant abuses, the old way of protecting the DNS is no longer sufficient. Attackers can evade these simple protections by sending small requests to a large number of different domains. Organizations worldwide need advanced protection to safeguard their DNS servers.
Thank You!
We will get back to you shortly.
The growing DNSSEC risk that even exposes government networks to rampant abuses suggests that the old way of protecting the DNS is no longer sufficient as attackers can send small requests to a large number of different domains. Advanced protection is a must in order for organizations worldwide to safeguard their DNS servers.
© 2023 Nexusguard - All Rights Reserved. Read Our Privacy Policy.