Sysadmins are making mistakes configuring and managing DNSSec, and it's leaving systems that should be secure open to exploitation in DNS reflection attacks.
That's the conclusion of Neustar, in a study released here and which found that of more than 1,300 DNSSec-protected domains tested 80 per cent could be used in an attack.
The domains in question had DNSSec deployed, and also responded to the DNS “ANY” query. The ANY request asks the responder to provide all information about a domain – the MX (mail server) records, IP addresses, and so on. An ANY request therefore returns a lot more information than a simple request for the domain's IP address.
[...] Neustar reckons on average, the poorly-configured DNSSec servers could amplify an attacker's traffic by 28.9 times; they turned an 80 byte query into a 2,313 response; and the biggest response they received from one of the protected servers was 17,377 bytes, 217 times the size of the query.
Unfortunately, all of this isn't a bug, it's a feature: even with DNSSec, the purpose of the system is to answer queries – so it's not a matter of applying a patch; it's about taking care of systems.
(Score: 2) by maxwell demon on Thursday August 18 2016, @06:00PM
Can anyone explain to me how this is different to a web server that delivers hundreds of kilobytes of data as response to a small HTTP request?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2, Informative) by Anonymous Coward on Thursday August 18 2016, @06:04PM
https://en.wikipedia.org/wiki/DNS_amplification_attack [wikipedia.org]
You're welcome!
(Score: 0) by Anonymous Coward on Thursday August 18 2016, @06:11PM
Yes! yes! but what about! this!
https://en.wikipedia.org/wiki/Denial-of-service_attack#HTTP_POST_DoS_attack [wikipedia.org]
(Score: 0) by Anonymous Coward on Thursday August 18 2016, @06:18PM
This DNS attack can be aimed at anyone, that one only gets machines running HTTP servers. Plus you can block that by black holing the IP targeting you as there has to be a handshake first.
(Score: 0) by Anonymous Coward on Thursday August 18 2016, @06:19PM
It's not so much that you reply with a response that is X times larger than the request. It's that the response can be directed to other places, thus swamping it with traffic and [D]DoS'ing it.
(Score: -1, Troll) by Anonymous Coward on Thursday August 18 2016, @06:05PM
Dns is not the web, which is the important thing, so the very existence of the dns is newsworthy to idiots.
(Score: 4, Informative) by Anonymous Coward on Thursday August 18 2016, @06:08PM
Simple answer is the default protocol DNS uses UDP and HTTP uses TCP. With TCP, before the communication can occur, there needs to be a handshake between parties. However, UDP does not require a handshake. Therefore, Eve can send a UDP datagram to Alice using Bob's IP address and Alice will fire off the proper response to Bob that he never requested. With TCP, the best you could do without requiring some serious high-level shit would be to flood Bob with a bunch of tiny SYN/ACKs from Alice.
(Score: -1, Troll) by Anonymous Coward on Thursday August 18 2016, @06:14PM
UDP? What does any of this have to do with Unlimited Data Plans? The WWW uses HTTP and none of this other bullcrap. You must be a dirty rotten hacker.
(Score: 3, Insightful) by Fnord666 on Thursday August 18 2016, @09:05PM
Simple answer is the default protocol DNS uses UDP and HTTP uses TCP. With TCP, before the communication can occur, there needs to be a handshake between parties. However, UDP does not require a handshake. Therefore, Eve can send a UDP datagram to Alice using Bob's IP address and Alice will fire off the proper response to Bob that he never requested. With TCP, the best you could do without requiring some serious high-level shit would be to flood Bob with a bunch of tiny SYN/ACKs from Alice.
The main problem is that too many routers are willing to forward IP packets with spoofed source IP addresses. The router should be able to know that the source address in the packet is not in the network behind it so it should just drop the packet rather than forward it on.
(Score: 0) by Anonymous Coward on Friday August 19 2016, @08:00AM
That used to be possible, before anyone *qualified* to run an ISP or transit network implemented egress filtering around 15 years ago.
Oh sure, if your building is using some kind of shared internet connection, you might be able to DOS the guy living in the room next door, but in that case, the internal LAN is probably faster than the internet connection anyway, and you'd end up blocking the internet connection for the entire building, including yourself and the admin, and maybe even prompting the admin to finally set up filtering.
(Score: 0) by Anonymous Coward on Friday August 19 2016, @04:53PM
My ISP is in the top 20 by subscribers in the USA. According to my test, they don't do egress filtering. Although, given how low my speed is compared to the "up to" speeds, amount of downtime and outages, maybe you are correct about their network managers being unqualified to run an ISP.