Domain Name System (DNS) servers on the edu.za domain are being exploited to launch massive distributed denial of service attacks (DDoS), according to a new report from Nexus Guard.
Nexus Guard’s second-quarter Threat Report for 2019 stated that DNS amplification attacks have spiked more than 1,000% compared with Q2 2018. DNS amplification attacks accounted for 65% of DDoS attacks last quarter.
It attributed this rise to the adoption of Domain Name System Security Extensions (DNSSEC) without proper precautions in place to mitigate DNS-amplified DDoS attacks.
“DNSSEC was designed to protect applications from using forged or manipulated DNS data, such as that created by DNS cache poisoning. The extra security DNSSEC provides relies on a resource-intensive data verification process using public keys and digital signatures,” Nexus Guard explained.
In other words, in trying to improve the security of DNS, the potency of DNS-amplified attacks have been increased, Nexus Guard said.
Of particular concern for South Africa is the fact that Nexus Guard ranks the edu.za domain as one of the most abused domains for DNS Amplification attacks, second only to 1×1.cz.
Nexus Guard reported that edu.za had 13,524,481 spoofed DNS requests last quarter, accounting for 9.36% of all DNS abuse.
A table summarising the ten most frequently abused domains from the Nexus Guard report is reproduced below. It also shows the number of DNS requests tracked by Nexus Guard (“Query Count”).
Nexus Guard’s second-quarter Threat Report for 2019 stated that DNS amplification attacks have spiked more than 1,000% compared with Q2 2018. DNS amplification attacks accounted for 65% of DDoS attacks last quarter.
It attributed this rise to the adoption of Domain Name System Security Extensions (DNSSEC) without proper precautions in place to mitigate DNS-amplified DDoS attacks.
“DNSSEC was designed to protect applications from using forged or manipulated DNS data, such as that created by DNS cache poisoning. The extra security DNSSEC provides relies on a resource-intensive data verification process using public keys and digital signatures,” Nexus Guard explained.
In other words, in trying to improve the security of DNS, the potency of DNS-amplified attacks have been increased, Nexus Guard said.
Of particular concern for South Africa is the fact that Nexus Guard ranks the edu.za domain as one of the most abused domains for DNS Amplification attacks, second only to 1×1.cz.
Nexus Guard reported that edu.za had 13,524,481 spoofed DNS requests last quarter, accounting for 9.36% of all DNS abuse.
A table summarising the ten most frequently abused domains from the Nexus Guard report is reproduced below. It also shows the number of DNS requests tracked by Nexus Guard (“Query Count”).
To illustrate the impact of DNSSEC on the effectiveness of DNS amplification attacks, Nexus Guard showed that DNS servers on aids.gov that were exploited had an amplification power of 4.53X before DNSSEC. With DNSSEC, attackers can now amplify their attack traffic by 45.28X.
“Clearly, DNSSEC is a very cost-effective resource for attackers seeking to reflect amplification attacks. While intended to be a patch to DNS poisoning, DNSSEC has had the unintended consequence of creating yet another DDoS vulnerability,” Nexus Guard said.
It provided the following graph to show the dramatic impact of DNSSEC on amplification power. For edu.za, the amplification power went from under 4X without DNSSEC, to nearly 50X with DNSSEC.
“Clearly, DNSSEC is a very cost-effective resource for attackers seeking to reflect amplification attacks. While intended to be a patch to DNS poisoning, DNSSEC has had the unintended consequence of creating yet another DDoS vulnerability,” Nexus Guard said.
It provided the following graph to show the dramatic impact of DNSSEC on amplification power. For edu.za, the amplification power went from under 4X without DNSSEC, to nearly 50X with DNSSEC.
Nexus Guard’s report also revealed that most DDoS attacks originate in the United States, followed by China. It also stated that most attacks last 90 minutes or less.
“The quarterly average was 182.9 minutes, while the longest attack lasted 28 days, 1 hour, and 11 minutes,” Nexus Guard said.
Attacks mainly originate from hijacked Windows and iOS devices that have been yoked together in a botnet.
Of the attacks it tracked, Nexus Guard said that 48.28% of the traffic came from Windows OS computers and servers, and 20.48% came from iOS-powered mobile devices.
“The quarterly average was 182.9 minutes, while the longest attack lasted 28 days, 1 hour, and 11 minutes,” Nexus Guard said.
Attacks mainly originate from hijacked Windows and iOS devices that have been yoked together in a botnet.
Of the attacks it tracked, Nexus Guard said that 48.28% of the traffic came from Windows OS computers and servers, and 20.48% came from iOS-powered mobile devices.