The .sl ccTLD: A Case Study in DNSSEC Misconfiguration and DDoS Exploitation

In the ever-evolving landscape of cybersecurity, Distributed Denial of Service (DDoS) attacks remain a persistent threat to online businesses. Recently, an online business fell victim to a significant DDoS attack that leveraged the .sl country code top-level domain (ccTLD) for Sierra Leone. This incident highlights the critical importance of proper DNSSEC (Domain Name System Security Extensions) configuration and the role of Internet Service Providers (ISPs) in mitigating such attacks. This analysis is part of our DDoS incident response managed service.

Understanding DNSSEC and Its Potential for Abuse

DNSSEC is designed to add a layer of security to the DNS by enabling the verification of DNS data authenticity and integrity. It achieves this through the use of digital signatures and cryptographic keys. However, when misconfigured, DNSSEC can inadvertently become a tool for attackers.

In this particular case, the .sl ccTLD was exploited in a DNS reflection and amplification attack. These types of attacks involve sending a small query to a DNS server, which then responds with a much larger reply. The attacker spoofs the source IP address to make it appear as though the query came from the target, resulting in the target being bombarded with large amounts of data.

The Role of Misconfiguration in Amplifying the Attack

Several misconfigurations in the DNSSEC setup of the .sl ccTLD significantly enhanced the attack:

• Multiple RRSIG Records for the Same Type: The presence of multiple RRSIG (Resource Record Signature) records for the same type (e.g., NSEC, SOA, DNSKEY) led to unnecessary bloat in the DNS response. This increased the size of the response, making it more effective for amplification attacks.
• Key Sizes: The DNSKEY records used key sizes of 4096 bits for two of them and 1024 bits for the other two. While strong cryptographic keys are essential for security, excessively large keys can lead to inefficiencies and increased response sizes.
• Large DNS Response Size: The DNS response size was quite large (5814 bytes), leading to fragmentation issues and making the server an attractive target for attackers. Fragmented traffic is harder to filter and manage, further complicating mitigation efforts.
• Missing DS Record: The absence of a DS (Delegation Signer) record for the .sl domain rendered the DNSSEC configuration ineffective. Without the DS record, the chain of trust is broken, and the DNSSEC validation cannot be completed.

The Role of ISPs in Enabling the Attack

While misconfigurations in DNSSEC can enhance the effectiveness of an attack, the role of ISPs in allowing such attacks cannot be overlooked. Many ISPs still permit the spoofing of source IP addresses, which is a fundamental enabler of reflection and amplification attacks. By allowing attackers to spoof the source IP, ISPs inadvertently facilitate the redirection of large volumes of traffic to the target.

Conclusion

This incident serves as a stark reminder of the importance of proper DNSSEC configuration and the need for ISPs to implement measures to prevent IP spoofing. Online businesses must ensure that their DNSSEC setup is correctly configured, using appropriately sized cryptographic keys and avoiding unnecessary bloat in DNS responses. Additionally, ISPs must take responsibility for preventing IP spoofing to mitigate the risk of reflection and amplification attacks.

By addressing these issues, we can enhance the security and stability of the DNS infrastructure, making it more resilient against the ever-present threat of DDoS attacks.

Amos Rosenboim

CTO and Co-Founder