DNSSEC and its potential for DDoS attacks: a comprehensive measurement study

  title={DNSSEC and its potential for DDoS attacks: a comprehensive measurement study},
  author={R. V. Rijswijk-Deij and A. Sperotto and A. Pras},
  journal={Proceedings of the 2014 Conference on Internet Measurement Conference},
Over the past five years we have witnessed the introduction of DNSSEC, a security extension to the DNS that relies on digital signatures. DNSSEC strengthens DNS by preventing attacks such as cache poisoning. However, a common argument against the deployment of DNSSEC is its potential for abuse in Distributed Denial of Service (DDoS) attacks, in particular reflection and amplification attacks. DNS responses for a DNSSEC-signed domain are typically larger than those for an unsigned domain, thus… Expand
Large-scale DNS and DNSSEC data sets for network security research
The Impact of DNSSEC on the Internet Landscape
Making the Case for Elliptic Curves in DNSSEC
A wrinkle in time: a case study in DNS poisoning
On the adoption of the elliptic curve digital signature algorithm (ECDSA) in DNSSEC
Improving DNS security: a measurement-based approach
A survey of domain name system vulnerabilities and attacks
Dealing with DNS Amplification Attacks using Response Rate Limiting


The Futility of DNSSec