A team of academics from Israel has disclosed today details about NXNSAttack, a vulnerability in DNS servers that can be abused to launch DDoS attacks of massive proportions.
According to the research team, NXNSAttack impacts recursive DNS servers and the process of DNS delegation.
Recursive DNS servers are DNS systems that pass DNS queries upstream in order to be resolved and converted from a domain name into an IP address.
These conversions take place on authoritative DNS servers, the servers that contain a copy of the DNS record, and are authorized to resolve it.
However, as a safety mechanism part of the DNS protocol, authoritative DNS servers can also “delegate” this operation to alternative DNS servers of their choosing.
New NXNSAttack explained
In a research paper published today, academics from the Tel Aviv University and The Interdisciplinary Center in Herzliya, Israel, said they found a way to abuse this delegation process for DDoS attacks.
The NXNSAttack technique has different facets and variations, but the basic steps are detailed below:
1) An attacker sends a DNS query to a recursive DNS server. The request is for a domain like “attacker.com,” which is managed through an attacker-controlled authoritative DNS server.
2) Since the recursive DNS server is not authorized to resolve this domain, it forwards the operation to the attacker’s malicious authoritative DNS server.
3) The malicious DNS server replies to the recursive DNS server with a message that equates to “I’m delegating this DNS resolving operation to this large list of name servers.” The list contains thousands of subdomains for a victim website.
4) The recursive DNS server forwards the DNS query to all the subdomains on the list, creating a surge in traffic for the victim’s authoritative DNS server.
NXNSAttack has a huge amplification factor
The research team says that an attacker using NXNSAttack can amplify a simple DNS query from 2 to 1,620 times its initial size, creating a massive spike in traffic that can crash a victim’s DNS server.
Once the DNS server goes down, this also prevents users from accessing the attacked website, as the site’s domain can’t be resolved anymore.
The research team says the NXNSAttack packet amplification factor (PAF) depends on the DNS software running on a recursive DNS server; however, in most cases, the amplification factor is many times larger than other DDoS amplification (reflection) attacks, where the PAF is usually between lowly values of 2 and 10.
This large PAF implies that NXNSAttack is one of the most dangerous DDoS attack vectors known to date, having the ability to launch debilitating attacks with only a few devices and automated DNS queries.
Patches available for DNS software
The Israeli researchers said they’ve been working for the past few months with the makers of DNS software, content delivery networks, and managed DNS providers to apply mitigations to DNS servers across the world.
Impacted software includes the likes of ISC BIND (CVE-2020-8616), NLnet labs Unbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), and CZ.NIC Knot Resolver (CVE-2020-12667), but also commercial DNS services provided by companies like Cloudflare, Google, Amazon, Microsoft, Oracle (DYN), Verisign, IBM Quad9, and ICANN.
Patches have been released today and over the previous weeks. They include mitigations that prevent attackers from abusing the DNS delegation process to flood other DNS servers.
Server administrators who run their own DNS servers are advised to update DNS resolver software to the latest version.
The research team’s work has been detailed in an academic paper entitled “NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities,” available for download in PDF format.