DNSSEC as DDoS amplification attack vector
Here is a report that explains how DNSSEC can be subverted as an amplifier in DDoS attacks.
• Average DNSSEC amplification factor : 28.9 x
• Average response to a 80 byte “ANY” query : 2313 bytes
• Largest amplification response : 17377 bytes
▻https://ns-cdn.neustar.biz/creative_services/biz/neustar/www/resources/whitepapers/it-security/dns/neustar-dnssec-report.pdf
We ran DNS queries from four separate and independent open recursive servers to look for DNSSEC name servers that responded to queries using the DNS command “ANY,” which is a favorite malicious query used by hackers.
[...]
Of the 1,349 domains that we examined, 1,084 were signed with DNSSEC and responded to the “ANY” query.
Which means: 80% of the domains in this one community could be repurposed as a DDoS amplifier and
used maliciously.
[...]
For organizations that use and rely on DNSSEC, Neustar
recommends ensuring that your DNS provider does not
respond to the “ANY” queries or has some mechanism in
place to identify and stop misuse.