Radware, a leading provider of cyber security and application delivery solutions, has announced that academics from the Tel Aviv University and The Interdisciplinary Center in Israel have discovered a vulnerability in the implementation of DNS recursive resolvers that can be abused to launch disruptive DDoS attacks against any victim.
The attack leveraging the vulnerability has been dubbed NXNSAttack by the researchers.
Unlike DDoS floods or application-level DDoS attacks that directly target and impact a host or a service, the NXNSAttack targets the domain name resolution capability of its victims.
Like the NXDOMAIN or DNS Water Torture attack2, the DDoS attack is aimed at disrupting the authoritative servers of the domain by overloading them with invalid requests using random domain request floods through recursive DNS resolvers.
This attack is hard to detect and mitigate at the authoritative server because the requests originate from legitimate recursive DNS servers. By disrupting name resolution for the domain, attackers effectively block access to all services provided under the domain. New clients will not be able to resolve the hostname of the service while under attack because they have no way of locating the IP address to connect to the service.
Unlike the limited 3x packet amplification factor of the NXDOMAIN attack, the NXNSAttack provides packet amplification factors ranging from 74x when attacking a subdomain (victim.com) up to 1621x when targeting a recursive resolver.
The bandwidth amplification factors range between 21x for subdomain attacks and 163x when targeting a recursive resolver. Targeting root and top-level domain servers results in a packet amplification factor of 1071x and a bandwidth amplification factor of 99x. With high amplification rates and flexible targeting, NXNSAttack is a very capable attack vector which can be performed at scale.
Researchers have since disclosed the vulnerability and approached vendors and providers who have already patched their software and servers.
The following DNS server implementations had a fix available at the moment of disclosure: ISC BIND (CVE-2020-8616), NLnet labs Unbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), and CZ.NIC Knot Resolver (CVE-2020-12667).
In addition, the following open DNS recursive resolver providers have updated their services to mitigate the use of the vulnerability for DDoS attacks: Cloudflare, Google, Amazon, Microsoft, Oracle (DYN),Verisign, IBM Quad9, and ICANN. Other software and service providers have followed the announcement with fixes and patching.
However, it is safe to assume that not all recursive resolvers, private and public, have been or ever will be patched.
The exposure to attacks or abuse of the vulnerability is not limited to just public recursive resolvers but also impacts private recursive resolvers located at ISPs, clouds or within organizations.
Malicious actors have leveraged different kinds of bots in the past to launch random domain flood attacks and can leverage the same bots to conduct a NXNSAttack which disrupts any victim outside of the resolvers’ owners. Easy access to source code for botnets such as Mirai that provide “out-of-the-box” support for random domain floods adds to the potential to perform these disruptive DDoS attacks.
The victims have no immediate grasp on the risk they are exposed to. Any component of the authoritative DNS infrastructure, including the second level domain (victim.com), top level domain (.com, .info, …), and root name servers (‘.’) can be disrupted through recursive DNS resolvers that are outside of their control. Victims are at the mercy of DNS service providers.