Abstract
Over the past five years we have witnessed the introduction of DNSSEC, a security extension to the DNS that relies on digital signatures. DNSSEC strengthens DNS by preventing attacks such as cache poisoning. However, a common argument against the deployment of DNSSEC is its potential for abuse in Distributed Denial of Service (DDoS) attacks, in particular reflection and amplification attacks. DNS responses for a DNSSEC-signed domain are typically larger than those for an unsigned domain, thus, it may seem that DNSSEC could actually worsen the problem of DNS-based DDoS attacks. The potential for abuse in DNSSEC-signed domains has, however, never been assessed on a large scale.
In this paper we establish ground truth around this open question. We perform a detailed measurement on a large dataset of DNSSEC-signed domains, covering 70% (2.5 million) of all signed domains in operation today, and compare the potential for amplification attacks to a representative sample of domains without DNSSEC. At first glance, the outcome of these measurements confirms that DNSSEC indeed worsens the DDoS phenomenon. Closer examination, however, gives a more nuanced picture. DNSSEC really only makes the situation worse for one particular query type (ANY), for which responses may be over 50 times larger than the original query (and in rare cases up to 179x). We also discuss a number of mitigation strategies that can have immediate impact for operators and suggest future research directions with regards to these mitigation strategies.
Original language | English |
---|---|
Title of host publication | Proceedings of the Fourteenth ACM Internet Measurement Conference, ACM IMC 2014 |
Place of Publication | New York |
Publisher | Association for Computing Machinery (ACM) |
Pages | 449-460 |
Number of pages | 12 |
ISBN (Print) | 978-1-4503-3213-2 |
DOIs | |
Publication status | Published - Nov 2014 |
Publication series
Name | |
---|---|
Publisher | ACM |
Keywords
- EWI-25209
- reflection at- tack
- METIS-309620
- IR-93925
- Attack
- amplification attack
- DNSSEC
- DDoS
- Denial of service
- Measurements
- DNS
Fingerprint Dive into the research topics of 'DNSSEC and Its Potential for DDoS Attacks - A Comprehensive Measurement Study'. Together they form a unique fingerprint.
Prizes
-
ACM SIGCOMM IMC Community Contribution Award 2014
van Rijswijk - Deij, Roland Martijn (Recipient), 5 Nov 2014
Prize: Honorary award
-
IRTF Applied Networking Research Prize 2015
van Rijswijk - Deij, Roland Martijn (Recipient), 2015
Prize