The second quarter of 2019 saw a major swelling of DNS amplification attacks reaching a whopping 1,000 percent spike. The report titled “Nexusguard’s Q2 2019 Threat Report” points out that increasing adoption of Domain Name System Security Extensions (DNSSEC) highlights the massive surge in DNS amplification attacks. The report also highlighted how several government domains and even Paypal.com, became victims of DNS abuses.
To delve deeper into this, CISO MAG had an exclusive interview with Tony Miu, research manager at Nexusguard. Tony comes in with more than 12 years of experience in cybersecurity, including nine years’ experience in network security and DDoS mitigation technology. As a battle-hardened veteran in the DDoS battlefield, he has garnered invaluable experiences and secrets of the trade, making him a distinguished thought leader in DDoS mitigation technologies. At Nexusguard, Tony leads the “Red Team” to find and fix vulnerabilities of the defense system from the attacker’s perspective and contributes to system and feature upgrades. As a dedicated researcher, he keeps an eye on the DDoS landscape focused on the researching of attack methods, patterns and defense techniques.
The revelation highlighted an alarming trend. Within a year there has been a massive surge. Did the report come as a shock to you that DNS amplification attacks are up by 1,000%?
Since Q1 2018, we have observed the tendency of attackers to use new, more advanced and stealthy methods to generate amplification attacks on their victims. In doing so, they have been constantly on the lookout for new methods that allow them to boost attack firepower at the highest amplification efficiency possible by taking advantage of, or exploiting vulnerable, ill-designed, badly configured or unsecured network devices or resources. As a result of this trend, amplification attacks skyrocketed 660.92% year on year in Q1 2019. Indeed, their pursuit of more cost-effective, stealthy and potent attack methods never ends. Now taking advantage of the additional response packet size generated by DNSSEC-enabled servers to reflect amplified attack is their latest favorite, which has proved to be successful as the DNSSEC implementation finally takes off.
DNSSEC has been around since 2010 but were not widely deployed in the first few years. Back to as early as 2013, we were aware of the potential of DNSSEC-enabled DNS servers being abused to launch DDoS attacks, in particular, reflection/amplification attacks, owing to the fact that DNS responses for a DNSSEC-signed domain are much larger than those for an unsigned domain. Due to the addition of a few new record types to DNS servers implemented with DNSSEC, the extra response size is large enough to contribute to attack traffic. So, this comes as no surprise to us at all that DNSSEC-aided DDoS attacks are now on the rise. It is just a matter of time for the wider industry to acknowledge it.
Over the years DNSSEC has been gaining acceptance as the patch, it is now causing a new set of problems for organizations. How is the cybersecurity industry responding to this?
DNSSEC provides a solution to DNS cache poisoning, which could spell big trouble for website owners by making their domains completely inaccessible and/or redirecting innocent visitors to malicious phishing sites. Therefore, it is understandable and necessary for ICANN and regulatory bodies to call for full deployment of DNSSEC across all unsecured domain names.
According to our Q2 findings, multiple government websites and paypal.com fell victim to rampant abuses. We then found out that many of these domains had actually deployed DNSSEC to the top-level .gov domain as required by the US government’s OMB mandate. So it leads us to believe that their DNSSEC implementation was one of the major causes of the sharp rise in DNS amplification attacks in the quarter. Now that with less than 20 percent of the world’s DNS registrars having deployed it, according to the Regional Internet address Registry for the Asia-Pacific region (APNIC), the continued implementation of DNSSEC will cause DNS amplification attack activities to continue to grow exponentially.
The abuse of DNSSEC-enabled servers once again demonstrates attackers’ pursuit of more stealthy, resource-effective tactics. Against this background, service providers and enterprises MUST prepare their networks for the continued rise of DNS amplification attacks. The effectiveness of DNS amplification attack mitigation hinges on whether the bandwidth capacity is large enough. However, as DNS amplification attacks continue to increase and as more DNS servers are likely to be abused to amplify malicious traffic, the asymmetry between attackers and defenders will only widen as time goes by.
One traditional mitigation method used by the industry is to drop abnormal DNS requests originating from the most frequently abused domains, such as 1×1.cz, cpsc.gov, etc. In doing so, the number of requests to the same domains or source IPs also has to be limited. Another commonly used method is to block all “ANY” queries outright. But given the growing DNS security risk, which even exposes government networks to abuses, the old way of protecting the DNS used by the industry is no longer sufficient. Attackers can evade these simple protections by sending small requests to a large number of different domains. The industry must, therefore, ensure that advanced protection is in place to safeguard their DNS servers.
To delve deeper into this, CISO MAG had an exclusive interview with Tony Miu, research manager at Nexusguard. Tony comes in with more than 12 years of experience in cybersecurity, including nine years’ experience in network security and DDoS mitigation technology. As a battle-hardened veteran in the DDoS battlefield, he has garnered invaluable experiences and secrets of the trade, making him a distinguished thought leader in DDoS mitigation technologies. At Nexusguard, Tony leads the “Red Team” to find and fix vulnerabilities of the defense system from the attacker’s perspective and contributes to system and feature upgrades. As a dedicated researcher, he keeps an eye on the DDoS landscape focused on the researching of attack methods, patterns and defense techniques.
The revelation highlighted an alarming trend. Within a year there has been a massive surge. Did the report come as a shock to you that DNS amplification attacks are up by 1,000%?
Since Q1 2018, we have observed the tendency of attackers to use new, more advanced and stealthy methods to generate amplification attacks on their victims. In doing so, they have been constantly on the lookout for new methods that allow them to boost attack firepower at the highest amplification efficiency possible by taking advantage of, or exploiting vulnerable, ill-designed, badly configured or unsecured network devices or resources. As a result of this trend, amplification attacks skyrocketed 660.92% year on year in Q1 2019. Indeed, their pursuit of more cost-effective, stealthy and potent attack methods never ends. Now taking advantage of the additional response packet size generated by DNSSEC-enabled servers to reflect amplified attack is their latest favorite, which has proved to be successful as the DNSSEC implementation finally takes off.
DNSSEC has been around since 2010 but were not widely deployed in the first few years. Back to as early as 2013, we were aware of the potential of DNSSEC-enabled DNS servers being abused to launch DDoS attacks, in particular, reflection/amplification attacks, owing to the fact that DNS responses for a DNSSEC-signed domain are much larger than those for an unsigned domain. Due to the addition of a few new record types to DNS servers implemented with DNSSEC, the extra response size is large enough to contribute to attack traffic. So, this comes as no surprise to us at all that DNSSEC-aided DDoS attacks are now on the rise. It is just a matter of time for the wider industry to acknowledge it.
Over the years DNSSEC has been gaining acceptance as the patch, it is now causing a new set of problems for organizations. How is the cybersecurity industry responding to this?
DNSSEC provides a solution to DNS cache poisoning, which could spell big trouble for website owners by making their domains completely inaccessible and/or redirecting innocent visitors to malicious phishing sites. Therefore, it is understandable and necessary for ICANN and regulatory bodies to call for full deployment of DNSSEC across all unsecured domain names.
According to our Q2 findings, multiple government websites and paypal.com fell victim to rampant abuses. We then found out that many of these domains had actually deployed DNSSEC to the top-level .gov domain as required by the US government’s OMB mandate. So it leads us to believe that their DNSSEC implementation was one of the major causes of the sharp rise in DNS amplification attacks in the quarter. Now that with less than 20 percent of the world’s DNS registrars having deployed it, according to the Regional Internet address Registry for the Asia-Pacific region (APNIC), the continued implementation of DNSSEC will cause DNS amplification attack activities to continue to grow exponentially.
The abuse of DNSSEC-enabled servers once again demonstrates attackers’ pursuit of more stealthy, resource-effective tactics. Against this background, service providers and enterprises MUST prepare their networks for the continued rise of DNS amplification attacks. The effectiveness of DNS amplification attack mitigation hinges on whether the bandwidth capacity is large enough. However, as DNS amplification attacks continue to increase and as more DNS servers are likely to be abused to amplify malicious traffic, the asymmetry between attackers and defenders will only widen as time goes by.
One traditional mitigation method used by the industry is to drop abnormal DNS requests originating from the most frequently abused domains, such as 1×1.cz, cpsc.gov, etc. In doing so, the number of requests to the same domains or source IPs also has to be limited. Another commonly used method is to block all “ANY” queries outright. But given the growing DNS security risk, which even exposes government networks to abuses, the old way of protecting the DNS used by the industry is no longer sufficient. Attackers can evade these simple protections by sending small requests to a large number of different domains. The industry must, therefore, ensure that advanced protection is in place to safeguard their DNS servers.