Vulnerability in DNS Servers can Boost DDoS attacks Several Times

The NXNSAttack vulnerability affectsr DNS servers and the delegation process.

A group of researchers from Tel Aviv University and the Herzliya Interdisciplinary Center in Israel discovered a vulnerability in DNS  serversthat could allow DDoS attacks with a gain of 1620x. According to experts, the vulnerability, called NXNSAttack, affects recursive DNS servers and the delegation process.

Recursive DNS servers are DNS systems that transmit upstream DNS queries so that they can be resolved and converted from a domain name to an IP address. These operations take place on authoritative DNS servers where a copy of the DNS record is stored. However, as part of the security mechanism of the DNS protocol, authoritative DNS servers can also delegate the operation to alternative DNS servers.
The research team was able to find a way to use the aforementioned delegation process to carry out DDoS attacks. NXNSAttack has many variations, but the basic principle of the attack is as follows:
  • The attacker sends a DNS query to the recursive DNS server. The request is intended for a domain of the type attacker.com, managed by an authoritative DNS server controlled by an attacker
  • Since the recursive DNS server is not authorized to resolve this domain name, it delegates the operation to an attacker controlled by an authoritative DNS server
  • The malicious DNS server responds with a message to the recursive DNS server, literally meaning "I am delegating this domain name resolution operation to a large list of servers." The list contains thousands of subdomains of the attacked website
  • A recursive DNS server forwards the DNS query to all subdomains from the list, thereby causing a surge in traffic for the victim’s authoritative DNS server.

Over the past few months, researchers, along with DNS server software vendors, content delivery networks, and managed DNS providers, have worked to fix the problem around the world. The list of affected software includes: ISC BIND (CVE-2020-8616), NLnet labs Unbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), CZ.NIC Knot Resolver (CVE-2020-12667), and commercial DNS services from Cloudflare, Google, Amazon, Microsoft, Oracle (DYN), Verisign, IBM Quad9, and ICANN. Administrators of their own DNS servers are advised to install the latest software.

No comments for "Vulnerability in DNS Servers can Boost DDoS attacks Several Times"