NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities
About the Project
NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities:
Joint work with Tel-Aviv University’s Prof. Anat Bremler-Barr and PhD student Lior Shafir.
We exposed a new vulnerability and introduced a corresponding attack, the NoneXistent Name Server Attack (NXNSAttack), that disrupts and may paralyze the DNS system, making it difficult or impossible for Internet users to access websites, web e-mail, online video chats, or any other online resource. The NXNSAttack generates a storm of packets between DNS resolvers and DNS authoritative name servers. The storm is produced by the response of resolvers to unrestricted referral response messages of authoritative name servers. The attack is significantly more destructive than NXDomain attacks (e.g., the Mirai attack): i) It reaches an amplification factor of more than 1620x on the number of packets exchanged by the recursive resolver. ii) In addition to the negative cache, the attack also saturates the ‘NS’ section of the resolver caches. Corresponding enhancements to mitigate the vulnerability are suggested. Following the discovery of the attack, a responsible disclosure procedure was carried out, and several DNS vendors and public providers have issued a CVE and patched their systems.