Administrators who have configured their domains to use DNSSEC: Good job! But congratulations may be premature if the domain hasn’t been correctly set up. Attackers can abuse improperly configured DNSSEC (Domain Name System Security Extensions) domains to launch denial-of-service attacks.
The DNS acts as a phone book for the Internet, translating IP addresses into human-readable addresses. However, the wide-open nature of DNS leaves it susceptible to DNS hijacking and DNS cache poisoning attacks to redirect users to a different address than where they intended to go.
DNSSEC is a series of digital signatures intended to protect DNS entries from being modified. Done properly, DNSSEC provides authentication and verification. Done improperly, attackers can loop the domain into a botnet to launch DDoS amplification and reflection attacks, according to the latest research from Neustar, a network security company providing anti-DDoS services.
To read this article in full or to leave a comment, please click here