DNSSEC: How Savvy Attackers Are Using Our Defenses Against Us
The domain name system security extensions (DNSSEC) were conceptualized as a way to protect DNS - a necessary, yet vulnerable layer of the Internet – from attacks and cache poisoning. But if not properly used, DNSSEC can quickly transform from a company’s security plan to an instrument of destruction.
In our recent study of one sector’s DNSSEC usage, we found more than 1,000 domains that weren’t properly managed and are capable of being manipulated to amplify already dangerous DDoS attacks.
Other findings from the study include:
- 80% of the domains in one sector are vulnerable to being repurposed as a DDoS amplifier
- 28.9x – The average amplification factor for a DNSSEC signed zone
- 17,377 – The largest amplification response