DNSSEC used as a way to carry out DDoS attacks

A security bulletin published by Akamai earlier this month shows that the company has ‘observed and successfully mitigated a large number of DNS reflection and amplification DDoS attacks abusing a Domain Name System Security Extension (DNSSEC) configured domain’. According to TheRegister, DNSSEC uses larger than normal DNS responses as a way to add extra security; attackers can use flaws in the DNSSEC to use such extra large responses as a way to amplify the number of corrupted network packets their send to a certain server, making it possible to take servers offline. Experts say that, while DNSSEC is being used for such attack, the actual fault is in ‘systems generating traffic with spoofed IP addresses and networks allowing such traffic’, and ‘remote applications that will respond to requests coming from compromise hosts’.