DNSSEC and its potential for DDoS attacks: a comprehensive measurement study

@article{RijswijkDeij2014DNSSECAI,
  title={DNSSEC and its potential for DDoS attacks: a comprehensive measurement study},
  author={Roland van Rijswijk-Deij and Anna Sperotto and Aiko Pras},
  journal={Proceedings of the 2014 Conference on Internet Measurement Conference},
  year={2014}
}
Over the past five years we have witnessed the introduction of DNSSEC, a security extension to the DNS that relies on digital signatures. DNSSEC strengthens DNS by preventing attacks such as cache poisoning. However, a common argument against the deployment of DNSSEC is its potential for abuse in Distributed Denial of Service (DDoS) attacks, in particular reflection and amplification attacks. DNS responses for a DNSSEC-signed domain are typically larger than those for an unsigned domain, thus… 
Large-scale DNS and DNSSEC data sets for network security research
TLDR
This technical report describes the data sets obtained during a study to establish ground truth about how serious an issue denial-of-service attacks can be and makes these data sets available as open data under a permissive Creative Commons license.
The Impact of DNSSEC on the Internet Landscape
TLDR
This dissertation investigates the security deficiencies of the Domain Name System (DNS) and assess the impact of the DNSSEC security extensions and presents GPU-based attacks on the NSEC3 privacy assertion, which allow efficient recovery of the domain namespace contents.
ANYway: Measuring the Amplification DDoS Potential of Domains
TLDR
This paper proposes and validate a scalable method to estimate the amplification potential of a domain name, based on the expected ANY response size, and creates estimates for hundreds of millions of domain names and ranks them by their amplification potential.
Making the Case for Elliptic Curves in DNSSEC
TLDR
This paper argues that the choice for RSA as default cryptosystem in DNSSEC is a major factor in these three problems, and starts research that aims to investigate the viability of deploying ECC at a large scale inDNSSEC.
A wrinkle in time: a case study in DNS poisoning
TLDR
This work successfully identifies empirical DNS poisoning attacks based on a novel method for DNS response timing analysis and presents a system to validate the technique that does not require any changes to the DNS protocol or any existing network equipment.
Background research on DNS-related DDoS vulnerabilities
TLDR
This document provides an overview of the MADDVIPR (Mapping DNS DDoS Vulnerabilities to Improve Protection and Prevention) project, a collaboration between the University of Twente and the Center for Applied Internet Data Analysis (CAIDA-UCSD).
On the adoption of the elliptic curve digital signature algorithm (ECDSA) in DNSSEC
TLDR
This paper study the actual adoption of ECDSA by DNSSEC operators, based on longitudinal datasets covering over 50% of the global DNS namespace over a period of 1.5 years, and demonstrates there are barriers to deployment that hamper adoption.
Improving DNS security: a measurement-based approach
TLDR
This thesis shows that alternative cryptographic algorithms based on Elliptic Curve Cryptography (ECC) are much more suited for DNSSEC and solve the two problems discussed before, and introduces a unique large-scale long-term active measurement infrastructure for the DNS.
The Performance Impact of Elliptic Curve Cryptography on DNSSEC Validation
TLDR
A model is developed that accurately predicts how many signature validations DNS resolvers have to perform and conclusively shows that switching DNSSEC to ECC signature schemes does not impose an insurmountable load on DNS resolver, even in worst case scenarios.
A survey of domain name system vulnerabilities and attacks
TLDR
DNS is an integral part of Internet operations but is still exposed to various attacks due to its vulnerabilities, low deployment of available mitigation techniques, and limitations of such techniques.
...
...

References

SHOWING 1-10 OF 32 REFERENCES
Dns amplification attacks preliminary release
TLDR
This paper outlines a Distributed Denial of Service (DDoS) attack which abuses open recursive Domain Name System (DNS) name servers using spoofed UDP packets and is the first documentation of a new form of a recursive name server reflection attack designed to use the significantly larger data amplification available from the extended capabilities of extended DNS standards.
The Futility of DNSSec
TLDR
This cost-benefit analysis clearly shows that DNSSec deployment is a futile effort, one that provides little long-term benefit yet has distinct, perhaps very significant costs.
Amplification Hell: Revisiting Network Protocols for DDoS Abuse
TLDR
This paper revisits popular UDP-based protocols of network services, online games, P2P filesharing networks and P1P botnets to assess their security against DRDoS abuse and finds that 14 protocols are susceptible to bandwidth amplification and multiply the traffic up to a factor 4670.
A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks
TLDR
The primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.
Exit from Hell? Reducing the Impact of Amplification DDoS Attacks
TLDR
A large-scale campaign to reduce the number of vulnerable NTP servers by more than 92% and evaluates amplification vulnerabilities in the TCP handshake and shows that attackers can abuse millions of hosts to achieve 20× amplification.
DNSSEC meets real world: dealing with unreachability caused by fragmentation
TLDR
This article quantifies the severity of these DNSSEC deployment problems, proposes two potential solutions at the DNS authoritative name server side, and validates both solutions, based on extensive measurements on the operational network of this major NREN.
Characterizing and Mitigating the DDoS-as-a-Service Phenomenon
TLDR
This paper proposes mitigation solutions against DDoS-as-a-Service that will be achieved after an extensive characterization of Booters, which some of them do not deliver what is offered.
Domain Name System (DNS) Cookies
DNS Cookies are a lightweight DNS transaction security mechanism that provides limited protection to DNS servers and clients against a variety of increasingly common denial-of-service and
Measuring the global domain name system
TLDR
The Measuring the Naming System (MeNSa) project proposes a formal and structured methodology and a set of metrics for the evaluation of the DNS health and security levels and introduces the main concepts of the MeNSa project.
...
...