DNS Vulnerability Enables Huge Amplification for DDoS

Researchers at Tel Aviv University and The Interdisciplinary Center in Herzliya, Israel recently discovered a vulnerability in DNS servers that could be used to launch Distributed Denial of Service (DDoS) attacks of massive proportions. An NXNSAttack could amplify a simple DNS query from 2 to 1,620 times its initial size, and create a massive spike in traffic that can crash a victim’s DNS server. For comparison, consider that LDAP service responses are considered to generate a very high amplification; Corero has seen an average factor of 46x and a peak of 55x for spoofed LDAP over UDP (CLDAP) attacks.

The researchers’ findings were published in an academic paper titled NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities, which explains that “The NXNSAttack exploits the way DNS recursive resolvers operate when receiving NS referral response that contains nameservers but without their corresponding IP addresses (i.e., missing glue-records).”  The key difference with this latest technique, is it leverages the DNS infrastructure to attack itself, rather than to amplify DDoS traffic which is targeting a third-party.

There are multiple DNS software vendors, content delivery networks, and managed DNS providers across the world. According to ZDNet, they have been working with the Tel Aviv University researchers to patch this new vulnerability and apply mitigations to their DNS services: “Patches have been released today [May 19, 2020] and over the previous weeks. They include mitigations that prevent attackers from abusing the DNS delegation process to flood other DNS servers. Server administrators who run their own DNS servers are advised to update all DNS resolver software to the latest version.”

Cybercriminals are always engaged in “creative thinking” to exploit vulnerabilities in Internet protocols to fuel the continued growth in DDoS attack frequency and sophistication. Fortunately, in this case, it seems the “white hats” found the vulnerability before any threat actors did.

While this discovery is the latest example of the potential for extremely large volume DDoS attacks, the vast majority (98%) are relatively small and do not saturate Internet links. High-volume, brute force attacks may make news headlines, but they are the outliers and smaller sub-saturating attacks are now much more common and just as damaging.  Organizations must guard against both large and small attacks to ensure business continuity.

The latest generation of DDoS solutions can achieve this automatically, blocking attacks of all sizes in a few seconds, or less.  For the relatively rare occasions when an attack does increase to the point where links are at risk of saturation, a fully integrated hybrid DDoS protection solution can deliver the optimal mix of fast and accurate always-on protection, with coordinated automatic cloud backup, to ensure even the largest of attacks is not successful.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here.  If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.