Israeli cyber security researchers have discovered details of a new DNS protocol error that could be used to launch advanced, large-scale Distributed Denial of Service (DDoS) attacks to capture targeted websites.
This vulnerability in the DNS delegation mechanism, known as the NXNSA attack, causes DNS resolvers to generate more DNS queries to authoritative servers of an attacker’s choice, which can lead to botnet-wide disruptions of online services. You can check here Outsource hosting support.
We show that in practice the number of DNS messages exchanged in a typical resolution process can be much greater than theoretically expected, mainly due to the proactive resolution of the name server’s IP addresses, as the researchers indicate in their paper.
We show how this inefficiency becomes a bottleneck and can be used to launch a devastating attack on one or both recursive converters and authoritative servers.
Following the responsible announcement of the NXNSA attack, several companies responsible for the Internet infrastructure, including PowerDNS (CVE-2020-10995), CZ.NIC (CVE-2020-12667), Cloudflare, Google, Amazon, Microsoft, Oracle, Dyn, Verisign and IBM Quad9, corrected their software to address the problem.
Previously, the DNS infrastructure was about to disrupt DDoS attacks via Mirai’s infamous botnet, including the 2016 attacks on the DNS Dyn service, which damaged some of the world’s largest sites such as Twitter, Netflix, Amazon and Spotify.
DNS lookup occurs when a DNS server contacts several authoritative DNS servers in a hierarchical order to find the IP address associated with a domain (such as www.google.com) and return it to the client.
This resolution usually starts with a DNS resolver managed by your ISPs or public DNS servers such as Cloudflare (1.1.1) or Google (8.8.8), depending on what is configured on your system.
The resolver forwards the request to the authoritative DNS name server if it cannot find the IP address of that domain name.
However, if the first authoritative DNS name server does not contain the required records either, it sends a delegation message with the addresses of the next authoritative servers that the DNS resolver can request.
In other words, the authoritative server informs the recursive resolver : I don’t know the answer, I’d rather query this nameserver and those, like ns1, ns2 etcetera.
This hierarchical process continues until the DNS resolver reaches the appropriate authoritative server, which specifies the IP address of the domain and gives the user access to the desired website.
The researchers found that these large unwanted overheads could be used to entice recursive resolvers to continuously send large numbers of parcels to the target domain instead of to legitimate authorized servers.
To carry out an attack using a recursive resolver, the investigators believe that an attacker must have an authoritative server.
You can easily do this by purchasing a domain name. According to the researchers, an opponent who acts as an authoritative server can create any NS response to DNS queries diﬀerent.
NXNSAattack works by sending a request to a domain managed by an attacker (such as attacker.com) to a vulnerable DNS resolution server, which forwards a DNS request to an authorized server managed by the attacker.
Instead of forwarding addresses to valid authorized servers, the attacker responds to a DNS query with a list of spoofed names of servers or subdomains controlled by the threat actor that point to the DNS victim.
The DNS server then forwards the request to all non-existent subdomains, resulting in a huge increase in traffic on the victim’s side.
Researchers claim that an attack can increase the number of packets exchanged by the recursive resolver by more than 1620 times, overloading DNS resolvers with a large number of queries they can process, as well as flooding the target domain and confusing it with unnecessary queries.
In addition, using a botnet like Mirai as a DNS client can further increase the scope of the attack.
Managing and recruiting a large number of customers and a large number of serious Nazi stations by an abuser is simple and inexpensive in practice, according to the researchers.
Our first goal was to study the effectiveness of recursive resolvers and their behavior in different attacks, and eventually we discovered a serious new vulnerability – the NXNSA attack – the researchers concluded.
The key elements of the new attack are (i) the ease with which you can own or manage an authoritative name server, (ii) the use of non-existent domain names for name servers, and (iii) the additional redundancy built into the DNS structure to ensure fault tolerance and fast response times, they added.
It is strongly recommended that network administrators update their DNS resolution software to the latest version using their own DNS servers.