DNSSEC and its potential for DDoS attacks

Rijswijk-Deij, Roland van; Sperotto, Anna; Pras, Aiko

doi:10.1145/2663716.2663731

Cited by 88 publications

(72 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…First, DNSSEC responses are larger and suffer more from IP fragmentation, which impacts availability [1]. Second, DNSSEC's larger responses can be abused for potent denial-of-service attacks [2]. Third, key management in DNSSEC is often complex, which may lead to mistakes that make domains unreachable.…”

Section: Introductionmentioning

confidence: 99%

Making the Case for Elliptic Curves in DNSSEC

Rijswijk-Deij

Sperotto

Pras

2015

SIGCOMM Comput. Commun. Rev.

Self Cite

View full text Add to dashboard Cite

The Domain Name System Security Extensions (DNSSEC) add authenticity and integrity to the DNS, improving its security. Unfortunately, DNSSEC is not without problems. DNSSEC adds digital signatures to the DNS, significantly increasing the size of DNS responses. This means DNS-SEC is more susceptible to packet fragmentation and makes DNSSEC an attractive vector to abuse in amplificationbased denial-of-service attacks. Additionally, key management policies are often complex. This makes DNSSEC fragile and leads to operational failures. In this paper, we argue that the choice for RSA as default cryptosystem in DNS-SEC is a major factor in these three problems. Alternative cryptosystems, based on elliptic curve cryptography (EC-DSA and EdDSA), exist but are rarely used in DNSSEC. We show that these are highly attractive for use in DNS-SEC, although they also have disadvantages. To address these, we have initiated research that aims to investigate the viability of deploying ECC at a large scale in DNSSEC.

show abstract

Section: Introductionmentioning

confidence: 99%

Making the Case for Elliptic Curves in DNSSEC

Rijswijk-Deij

Sperotto

Pras

2015

SIGCOMM Comput. Commun. Rev.

Self Cite

View full text Add to dashboard Cite

show abstract

“…r 3 ) operated by SURFnet. 3 We performed a live capture of traffic 2 See http://www.internetsociety.org/deploy360/dnssec/statistics/ 3 The National Research and Education Network in the Netherlands. from clients to these DNS resolvers and replayed this traffic against an instrumented DNS resolver.…”

Section: B Modelmentioning

confidence: 99%

“…Because DNS is susceptible to IP address spoofing, it can be abused in so-called amplification attacks. For 'classic' DNS the average amplification factor is around 6×, but DNSSEC makes things much worse, increasing the average amplification to around 50× [2]. This means that by sending 100 Mbit/s, attackers can mount an attack of 5 Gbit/s.…”

mentioning

confidence: 99%

The Performance Impact of Elliptic Curve Cryptography on DNSSEC Validation

Rijswijk-Deij

Hageman

Sperotto

et al. 2017

IEEE/ACM Trans. Networking

Self Cite

View full text Add to dashboard Cite

Abstract-The domain name system (DNS) is a core Internet infrastructure that translates names to machine-readable information, such as IP addresses. Security flaws in DNS led to a major overhaul, with the introduction of the DNS security (DNSSEC) extensions. DNSSEC adds integrity and authenticity to the DNS using digital signatures. DNSSEC, however, has its own concerns. It suffers from availability problems due to packet fragmentation and is a potent source of distributed denial-of-service attacks. In earlier work, we argued that many issues with DNSSEC stem from the choice of RSA as default signature algorithm. A switch to alternatives based on elliptic curve cryptography (ECC) can resolve these issues. Yet switching to ECC introduces a new problem: ECC signature validation is much slower than RSA validation. Thus, switching DNSSEC to ECC imposes a significant additional burden on DNS resolvers, pushing load toward the edges of the network. Therefore, in this paper, we study the question: will switching DNSSEC to ECC lead to problems for DNS resolvers, or can they handle the extra load? To answer this question, we developed a model that accurately predicts how many signature validations DNS resolvers have to perform. This allows us to calculate the additional CPU load ECC imposes on a resolver. Using real-world measurements from four DNS resolvers and with two open-source DNS implementations, we evaluate future scenarios where DNSSEC is universally deployed. Our results conclusively show that switching DNSSEC to ECC signature schemes does not impose an insurmountable load on DNS resolvers, even in worst case scenarios.

show abstract

“…Alternatively, amplification can also be achieved by using standard authoritative DNS servers; there are hundreds of millions of such servers that allow amplification with a factors between 6 and 12. Particularly interesting may be the 3.5 million DNSSEC servers, which include digital signatures in their responses and therefore allow much higher amplification factors; factors between 40 and 55 should be realistic [4]. In addition to DNS systems, attackers can also use open NTP (4 million), open SNMP (8 million) or other servers to amplify attacks [5] [6].…”

Section: How To Make Ddos Attacks More Powerfulmentioning

confidence: 99%

DDoS 3.0 - How Terrorists Bring Down the Internet

Pras

Santanna

Steinberger

et al. 2016

Measurement, Modelling and Evaluation of Dependable Computer and Communication Systems

Self Cite

View full text Add to dashboard Cite

Abstract. Dependable operation of the Internet is of crucial importance for our society. In recent years Distributed Denial of Service (DDoS) attacks have quickly become a major problem for the Internet. Most of these attacks are initiated by kids that target schools, ISPs, banks and web-shops; the Dutch NREN (SURFNet), for example, sees around 10 of such attacks per day. Performing attacks is extremely simple, since many websites offer "DDoS as a Service"; in fact it is easier to order a DDoS attack than to book a hotel! The websites that offer such DDoS attacks are called "Booters" or Stressers", and are able to perform attacks with a strength of many Gbps. Although current attempts to mitigate attacks seem promising, analysis of recent attacks learns that it is quite easy to build next generation attack tools that are able to generate DDoS attacks with a strength thousand to one million times higher than the ones we see today. If such tools are used by nation-states or, more likely, terrorists, it should be possible to completely stop the Internet. This paper argues that we should prepare for such novel attacks. Current DDoS attacksCurrent DDoS attacks are often performed by youngsters via websites that offer "DDoS as a Service". Such websites, which are called "Booters" or Stressers", are able to generate attacks with strengths of many Gbps. A simple Google search shows that hundreds of such Booters are currently active; the costs to perform a series of attacks is typically a few dollars [1][2]. In general Booters do not attack their targets directly, but use one or two levels of intermediate systems to strengthen and anonymise the attacks. The first level is formed by botnets that start the attack once they receive specific commands from the Booter. The second level is used to amplify the attack and can, for example, involve a set of DNS or NTP servers that react upon the reception of relatively small requests by sending large response packets. The ratio between response and request message size is the amplification factor; in practice we find factors between ten and hundred. Particularly popular for amplification attacks are socalled open DNS resolvers, which are basically misconfigured DNS servers that answer DNS queries irrespective of their origin. To target a specific victim, the

show abstract

DNSSEC and its potential for DDoS attacks

Cited by 88 publications

References 19 publications

Making the Case for Elliptic Curves in DNSSEC

Making the Case for Elliptic Curves in DNSSEC

The Performance Impact of Elliptic Curve Cryptography on DNSSEC Validation

DDoS 3.0 - How Terrorists Bring Down the Internet

Contact Info

Product

Resources

About