Is DNSSEC causing more problems than it solves? The complex security protocol for the domain name system – DNSSEC – has another black mark against it: it is being used as a way to carry out distributed denial-of-service (DDoS) attacks. That's according to a security bulletin [PDF] by Akamai that notes it has "observed and successfully mitigated a large number of DNS …
"DNSSEC uses larger-than-normal DNS responses as a way of adding extra security"
The author may not understand logic (affirming the consequent). DNSSEC responses are signed, and a signed response is larger than an unsigned response. The signature is what adds the security, not the fact that the responses are bigger.
Kieren McCarthy is so behind on the technology. For many years, Daniel J. Bernstein has been calling DNSSEC “the worst DDOS amplifier on the Internet” for precisely this reason.
And 2 years ago, Paul Vixie presented a general solution: Response Rate Limiting. The technology exists to fix this problem. It just needs to be deployed.
Really, I expect this cluelessness from the MSM. It’s sad to see it in The Register.
The apparent mitigation is to throttle traffic from any one source or to any one source to prevent overload.
Just had the passing thought that this might trip over net neutrality rules; you should be able to distinguish at the technical level between video streaming and DNS traffic but has this been considered at the legal level?
So, a standard attack using DNS, with the addition of DNSSEC means let's disable DNS cryptography?
Never thought that Apple would be doing more to promote crypto more than a tech site. Do you realize how easy it is to spoof DNS results if there is no crypto? That's how they "take sites off the Internet" in certain places.
Sure you should use TLS for security instead (if you think you can trust all those Certificate Authorities - ahem). Sane people will still want to use both DNSSEC and TLS. Defense-in-depth.
It's plain old amplification. Sure what's being amplified is bigger in the first instance but DDoS miscreants never seemed to have too much difficulty getting amplification of a small(er) payload to have a big effect, or to find plain DNS requests with large responses. You can hardly level the accusation at DNSSEC just because signed responses are inherently larger - the same accusation stands for any DNS response more than the 'average' number of records/types that is used as part of an amplification attack.
Have an upvote for the NTNOCN reference
Yes, I agree, some basic filtering wouldn't go amiss, and for parts of the internet that won't - well cut them off. The only reason these amplification attacks work is because the ****s can spoof source addresses.
I realise it's not as trivially easy as "drop packets with a source address that doesn't route out that way" due to asymmetric routing - but at the ISP level there shouldn't be much of a problem with "it's not one of our blocks, drop it" filtering.
As a DNS server operator, apart from having filtered the address blocks I service, I'm thinking that imposing an artificially low packet size threshold before switching to TCP would also mitigate the problem since large responses would get converted into small "please use TCP" responses. A bit more load, but having seen what DDoS attacks can do to my DNS servers I'd rather have that than be part of the problem. I've already implemented response rate limiting.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
