DNSSEC and Its Potential for DDoS Attacks - A Comprehensive Measurement Study

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    43 Citations (Scopus)
    114 Downloads (Pure)

    Abstract

    Over the past five years we have witnessed the introduction of DNSSEC, a security extension to the DNS that relies on digital signatures. DNSSEC strengthens DNS by preventing attacks such as cache poisoning. However, a common argument against the deployment of DNSSEC is its potential for abuse in Distributed Denial of Service (DDoS) attacks, in particular reflection and amplification attacks. DNS responses for a DNSSEC-signed domain are typically larger than those for an unsigned domain, thus, it may seem that DNSSEC could actually worsen the problem of DNS-based DDoS attacks. The potential for abuse in DNSSEC-signed domains has, however, never been assessed on a large scale. In this paper we establish ground truth around this open question. We perform a detailed measurement on a large dataset of DNSSEC-signed domains, covering 70% (2.5 million) of all signed domains in operation today, and compare the potential for amplification attacks to a representative sample of domains without DNSSEC. At first glance, the outcome of these measurements confirms that DNSSEC indeed worsens the DDoS phenomenon. Closer examination, however, gives a more nuanced picture. DNSSEC really only makes the situation worse for one particular query type (ANY), for which responses may be over 50 times larger than the original query (and in rare cases up to 179x). We also discuss a number of mitigation strategies that can have immediate impact for operators and suggest future research directions with regards to these mitigation strategies.
    Original languageEnglish
    Title of host publicationProceedings of the Fourteenth ACM Internet Measurement Conference, ACM IMC 2014
    Place of PublicationNew York
    PublisherAssociation for Computing Machinery (ACM)
    Pages449-460
    Number of pages12
    ISBN (Print)978-1-4503-3213-2
    DOIs
    Publication statusPublished - Nov 2014

    Publication series

    Name
    PublisherACM

    Fingerprint

    Amplification
    Electronic document identification systems
    Denial-of-service attack

    Keywords

    • EWI-25209
    • reflection at- tack
    • METIS-309620
    • IR-93925
    • Attack
    • amplification attack
    • DNSSEC
    • DDoS
    • Denial of service
    • Measurements
    • DNS

    Cite this

    van Rijswijk, R. M., Sperotto, A., & Pras, A. (2014). DNSSEC and Its Potential for DDoS Attacks - A Comprehensive Measurement Study. In Proceedings of the Fourteenth ACM Internet Measurement Conference, ACM IMC 2014 (pp. 449-460). New York: Association for Computing Machinery (ACM). https://doi.org/10.1145/2663716.2663731
    van Rijswijk, Roland M. ; Sperotto, Anna ; Pras, Aiko. / DNSSEC and Its Potential for DDoS Attacks - A Comprehensive Measurement Study. Proceedings of the Fourteenth ACM Internet Measurement Conference, ACM IMC 2014. New York : Association for Computing Machinery (ACM), 2014. pp. 449-460
    @inproceedings{cb44e19921c24486ba0e8a27c80b8a4f,
    title = "DNSSEC and Its Potential for DDoS Attacks - A Comprehensive Measurement Study",
    abstract = "Over the past five years we have witnessed the introduction of DNSSEC, a security extension to the DNS that relies on digital signatures. DNSSEC strengthens DNS by preventing attacks such as cache poisoning. However, a common argument against the deployment of DNSSEC is its potential for abuse in Distributed Denial of Service (DDoS) attacks, in particular reflection and amplification attacks. DNS responses for a DNSSEC-signed domain are typically larger than those for an unsigned domain, thus, it may seem that DNSSEC could actually worsen the problem of DNS-based DDoS attacks. The potential for abuse in DNSSEC-signed domains has, however, never been assessed on a large scale. In this paper we establish ground truth around this open question. We perform a detailed measurement on a large dataset of DNSSEC-signed domains, covering 70{\%} (2.5 million) of all signed domains in operation today, and compare the potential for amplification attacks to a representative sample of domains without DNSSEC. At first glance, the outcome of these measurements confirms that DNSSEC indeed worsens the DDoS phenomenon. Closer examination, however, gives a more nuanced picture. DNSSEC really only makes the situation worse for one particular query type (ANY), for which responses may be over 50 times larger than the original query (and in rare cases up to 179x). We also discuss a number of mitigation strategies that can have immediate impact for operators and suggest future research directions with regards to these mitigation strategies.",
    keywords = "EWI-25209, reflection at- tack, METIS-309620, IR-93925, Attack, amplification attack, DNSSEC, DDoS, Denial of service, Measurements, DNS",
    author = "{van Rijswijk}, {Roland M.} and Anna Sperotto and Aiko Pras",
    year = "2014",
    month = "11",
    doi = "10.1145/2663716.2663731",
    language = "English",
    isbn = "978-1-4503-3213-2",
    publisher = "Association for Computing Machinery (ACM)",
    pages = "449--460",
    booktitle = "Proceedings of the Fourteenth ACM Internet Measurement Conference, ACM IMC 2014",
    address = "United States",

    }

    van Rijswijk, RM, Sperotto, A & Pras, A 2014, DNSSEC and Its Potential for DDoS Attacks - A Comprehensive Measurement Study. in Proceedings of the Fourteenth ACM Internet Measurement Conference, ACM IMC 2014. Association for Computing Machinery (ACM), New York, pp. 449-460. https://doi.org/10.1145/2663716.2663731

    DNSSEC and Its Potential for DDoS Attacks - A Comprehensive Measurement Study. / van Rijswijk, Roland M.; Sperotto, Anna; Pras, Aiko.

    Proceedings of the Fourteenth ACM Internet Measurement Conference, ACM IMC 2014. New York : Association for Computing Machinery (ACM), 2014. p. 449-460.

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    TY - GEN

    T1 - DNSSEC and Its Potential for DDoS Attacks - A Comprehensive Measurement Study

    AU - van Rijswijk, Roland M.

    AU - Sperotto, Anna

    AU - Pras, Aiko

    PY - 2014/11

    Y1 - 2014/11

    N2 - Over the past five years we have witnessed the introduction of DNSSEC, a security extension to the DNS that relies on digital signatures. DNSSEC strengthens DNS by preventing attacks such as cache poisoning. However, a common argument against the deployment of DNSSEC is its potential for abuse in Distributed Denial of Service (DDoS) attacks, in particular reflection and amplification attacks. DNS responses for a DNSSEC-signed domain are typically larger than those for an unsigned domain, thus, it may seem that DNSSEC could actually worsen the problem of DNS-based DDoS attacks. The potential for abuse in DNSSEC-signed domains has, however, never been assessed on a large scale. In this paper we establish ground truth around this open question. We perform a detailed measurement on a large dataset of DNSSEC-signed domains, covering 70% (2.5 million) of all signed domains in operation today, and compare the potential for amplification attacks to a representative sample of domains without DNSSEC. At first glance, the outcome of these measurements confirms that DNSSEC indeed worsens the DDoS phenomenon. Closer examination, however, gives a more nuanced picture. DNSSEC really only makes the situation worse for one particular query type (ANY), for which responses may be over 50 times larger than the original query (and in rare cases up to 179x). We also discuss a number of mitigation strategies that can have immediate impact for operators and suggest future research directions with regards to these mitigation strategies.

    AB - Over the past five years we have witnessed the introduction of DNSSEC, a security extension to the DNS that relies on digital signatures. DNSSEC strengthens DNS by preventing attacks such as cache poisoning. However, a common argument against the deployment of DNSSEC is its potential for abuse in Distributed Denial of Service (DDoS) attacks, in particular reflection and amplification attacks. DNS responses for a DNSSEC-signed domain are typically larger than those for an unsigned domain, thus, it may seem that DNSSEC could actually worsen the problem of DNS-based DDoS attacks. The potential for abuse in DNSSEC-signed domains has, however, never been assessed on a large scale. In this paper we establish ground truth around this open question. We perform a detailed measurement on a large dataset of DNSSEC-signed domains, covering 70% (2.5 million) of all signed domains in operation today, and compare the potential for amplification attacks to a representative sample of domains without DNSSEC. At first glance, the outcome of these measurements confirms that DNSSEC indeed worsens the DDoS phenomenon. Closer examination, however, gives a more nuanced picture. DNSSEC really only makes the situation worse for one particular query type (ANY), for which responses may be over 50 times larger than the original query (and in rare cases up to 179x). We also discuss a number of mitigation strategies that can have immediate impact for operators and suggest future research directions with regards to these mitigation strategies.

    KW - EWI-25209

    KW - reflection at- tack

    KW - METIS-309620

    KW - IR-93925

    KW - Attack

    KW - amplification attack

    KW - DNSSEC

    KW - DDoS

    KW - Denial of service

    KW - Measurements

    KW - DNS

    U2 - 10.1145/2663716.2663731

    DO - 10.1145/2663716.2663731

    M3 - Conference contribution

    SN - 978-1-4503-3213-2

    SP - 449

    EP - 460

    BT - Proceedings of the Fourteenth ACM Internet Measurement Conference, ACM IMC 2014

    PB - Association for Computing Machinery (ACM)

    CY - New York

    ER -

    van Rijswijk RM, Sperotto A, Pras A. DNSSEC and Its Potential for DDoS Attacks - A Comprehensive Measurement Study. In Proceedings of the Fourteenth ACM Internet Measurement Conference, ACM IMC 2014. New York: Association for Computing Machinery (ACM). 2014. p. 449-460 https://doi.org/10.1145/2663716.2663731