A team of academics from Israel has released information about the NXNSAttack, a new vulnerability in DNS servers that can be used for large-scale DDoS attacks. According to the researchers, the new NXNSAttack vulnerability affects retroactive DNS servers and the DNS assignment process. Retrograde DNS servers are DNS systems that pass up DNS upstream questions to be solved and converted by one domain name in an IP address. These conversions are performed on valid DNS servers, servers that contain a copy of the DNS record and are authorized to resolve it. However, as part of the mechanism security of the DNS protocol, valid DNS servers can also "assign" this mode in alternative DNS servers of their choice.
In a recent study, academics from Tel Aviv University and Interdisciplinary Center in Herzliya of Israel, said they had found a way to abuse this assignment process for DDoS attacks. The NXNSAttack technique presents different aspects and variations, however the following are highlighted:
- An intruder sends a DNS question to a retrograde DNS server. The question concerns a domain such as "attacker.com", which it manages through a valid DNS server controlled by an intruder.
- If the retroactive DNS server is not authorized to resolve this domain, it promotes the operation on the malicious authorized DNS server of the intruder.
- The malicious DNS server responds to the retrograde DNS server with the message "I assign this DNS resolution function to this long list of name servers". The list contains thousands of subdomains from one site - victim.
- The retrograde DNS server promotes the DNS question in all subdomains of the list, creating an increase in traffic to the victim's official DNS server.
The research team reports that an attacker exploiting the NXNSAttack could amplify a simple DNS question from 2 to 1.620 times compared to its original size, creating a huge increase in traffic that could crash a victim's DNS server. Once the DNS server is shut down, this also prevents users from accessing the attack site, as the site's domain can no longer be resolved. The research team also points out that the NXNSAttack (PAF) packet enhancement factor depends on software DNS running on a retrograde DNS server. However, in most cases, the boost factor is many times higher than other DDoS boost attacks, where PAF is usually between low prices 2 and 10. This PAF indicates that NXNSAttack is one of the most dangerous DDoS attack carriers. known to date, having the ability to carry out debilitating attacks.
In addition, Israeli researchers say they have been working with DNS software developers in recent months. networks content distribution and with DNS managed providers, for the application patches in DNS servers around the world. The affected software includes ISC BIND (CVE-2020-8616), NLnet labs Unbound (CVE-2020-12662), PowerDNS (CVE-2020-10995) and CZ.NIC Knot Resolver (CVE-2020-12667), but and DNS commercial services provided by companies such as Cloudflare, Google, Amazon, Microsoft, Oracle (DYN), Verisign, IBM Quad9 and ICANN. These patches have been released recently and include mitigations that prevent intruders from abusing the DNS assignment process to attack other DNS servers. Finally, server administrators running their own DNS servers are advised to update their DNS analysis software to the latest version.