NXNSAttack, a new vulnerability in DNS servers can make 1620x time powerful DDoS attacks
Security researchers from Israel have discovered a new vulnerability called NXNSAttack. The NXNSAttack vulnerability in the DNS servers exploits the way DNS recursive resolvers operate. The NXNSAttack vulnerability can be abused by hackers and cybercriminals to launch DDoS attacks of massive proportions. An example DDoS by the research team found that they could amplify the attack a whopping 1620 times using this vulnerability. This vulnerability should be added to 25 DDoS attack types we already know of.
The research team consisted of following academics from Israel:
- Lior Shafir, Tel Aviv University
- Yehuda Afek, Tel Aviv University
- Anat Bremler-Barr, The Interdisciplinary Center, Herzliya
According to their investigation, NXNSAttack exploits recursive DNS servers and the process of DNS delegation. The recursive DNS servers are DNS systems that pass DNS queries upstream to be resolved and converted from a domain name into an IP address. These conversions take place on authoritative DNS servers, the servers that contain a copy of the DNS record, and are authorized to resolve it. An authoritative DNS can delegate these powers to downstream DNS. This delegation of powers can be misused by hackers to super amplify DDoS attacks.
What is NXNS Attack?
NXNS attack uses the vulnerability in how the DNS servers handle recursive queries. The researchers have detailed how NXNSAttack could work in their investigations here. It basically details how a hacker can misuse hacked authoritative DNS to delegate its powers to unhacked DNS servers. The potential hacker can then make the recursive DNS server forward the DNS query to the victim domain, creating a surge in traffic for the victim’s authoritative DNS server.
The researchers say that the potential of NXNSAttack is huge. Wannabe hackers can amplify a simple DNS query from 2 to 1,620 times its initial size, creating a massive spike in traffic that can crash a victim’s DNS server.
Fix for NXNS Attack
The research team said that they have been in contact with the makers of DNS software, content delivery networks, and managed DNS providers to apply mitigations to DNS servers across the world. Impacted software includes the likes of ISC BIND (CVE-2020-8616), NLnet labs Unbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), and CZ.NIC Knot Resolver (CVE-2020-12667), but also commercial DNS services provided by companies like Cloudflare, Google, Amazon, Microsoft, Oracle (DYN), Verisign, IBM Quad9, and ICANN.
These companies have released their respective patches yesterday and over the previous weeks. The patch prevents hackers from misusing the delegation of powers from authoritative DNS servers to other servers.