Israeli cybersecurity researchers have disclosed details a couple of new flaw impacting DNS protocol that may be exploited to launch amplified, large-scale distributed denial-of-service (DDoS) attacks to takedown targeted web sites.
Called NXNSAttack, the flaw hinges on the DNS delegation mechanism to force DNS resolvers to generate more DNS queries to authoritative servers of attacker’s choice, doubtlessly causing a botnet-scale disruption to online services.
“We show that the number of DNS messages exchanged in a typical resolution process might be much higher in practice than what is expected in theory, mainly due to a proactive resolution of name-servers’ IP addresses,” the researchers said within the paper.
“We show how this inefficiency becomes a bottleneck and might be used to mount a devastating attack against either or both, recursive resolvers and authoritative servers.”
Following responsible disclosure of NXNSAttack, several of the businesses answerable for the web infrastructure, including PowerDNS (CVE-2020-10995), CZ.NIC (CVE-2020-12667), Cloudflare, Google, Amazon, Microsoft, Oracle-owned Dyn, Verisign, and IBM Quad9, have patched their software to address the problem.
The DNS infrastructure has been previously on the receiving end of a rash of DDoS attacks through the infamous Mirai botnet, including these against Dyn DNS service in 2016, crippling a few of the world’s greatest sites, including Twitter, Netflix, Amazon, and Spotify.
The NXNSAttack Method
A recursive DNS lookup happens when a DNS server communicates with multiple authoritative DNS servers in a hierarchical sequence to locate an IP address related to a domain (e.g., www.google.com) and return it to the client.
This decision typically starts with the DNS resolver controlled by your ISPs or public DNS servers, like Cloudflare (126.96.36.199) or Google (188.8.131.52), whichever is configured together with your system.
The resolver passes the request to an authoritative DNS name server if it is unable to locate the IP address for a given domain name.
But if the primary authoritative DNS name server also does not hold the specified records, it returns the delegation message with addresses to the subsequent authoritative servers to which DNS resolver can query.
In other words, an authoritative server tells the recursive resolver: “I do not know the answer, go and query these and these name servers, e.g., ns1, ns2, etc., instead”.
This hierarchical process goes on till the DNS resolver reaches the right authoritative server that gives the domain’s IP address, allowing the user to access the specified web site.
Researchers found that these large undesired overheads could be exploited to trick recursive resolvers into forcefully continuously sending a big variety of packets to a targeted domain rather than legitimate authoritative servers.
In order to mount the attack through a recursive resolver, the attacker have to be in possession of an authoritative server, the researchers said.
“This can be easily achieved by buying a domain name. An adversary who acts as an authoritative server can craft any NS referral response as an answer to diﬀerent DNS queries,” the researchers said.
The NXNSAttack works by sending a request for an attacker-controlled domain (e.g., “attacker.com”) to a vulnerable DNS resolving server, which might forward the DNS query to the attacker-controlled authoritative server.
Instead of returning addresses to the precise authoritative servers, the attacker-controlled authoritative server responds to the DNS query with a listing of fake server names or subdomains controlled by the threat actor that points to a victim DNS domain.
The DNS server, then, forwards the query to all of the nonexistent subdomains, creating an enormous surge in traffic to the victim site.
The researchers said the attack can amplify the variety of packets exchanged by the recursive resolver by as a lot as an element of greater than 1,620, thereby overwhelming not only the DNS resolvers with more requests they will handle, but additionally flood the target domain with superfluous requests and take it down.
What’s more, utilizing a botnet such because the Mirai as a DNS client can further augment the size of the attack.
“Controlling and acquiring a huge number of clients and a large number of authoritative NSs by an attacker is easy and cheap in practice,” the researchers said.
“Our initial goal was to investigate the efficiency of recursive resolvers and their behavior under different attacks, and we ended up finding a new seriously looking vulnerability, the NXNSAttack,” the researchers concluded.
“The key ingredients of the new attack are (i) the ease with which one can own or control an authoritative name server, and (ii) the usage of nonexistent domain names for name servers and (iii) the extra redundancy placed in the DNS structure to achieve fault tolerance and fast response time,” they added.
It’s extremely recommended that network administrators who run their very own DNS servers update their DNS resolver software to the newest version.
Source: The Hacker News