DNSSEC is not invincible. Researchers this week described how a DNSSEC-based flood attack could easily knock a website offline and allow for the insertion of malware or exfiltration of sensitive data.
The intent of Domain Name System Security Extensions, or DNSSEC, is to bolster DNS through a series of complex digital signatures. But if it is not secured properly it can fall victim to cache poisoning and malicious redirection attacks, experts warn.
Researchers at Neustar explained in a paper, “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us” on Tuesday how DNSSEC can be reflected and leveraged by “ANY” queries to carry out DDoS attacks. “ANY” queries are favored by hackers; responses to them are exponentially larger than a normal DNS reply, researchers claim.