NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities

Paper 2020/722

NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities

Yehuda Afek, Anat Bremler-Barr, and Lior Shafir

Abstract

This paper exposes a new vulnerability and introducesa corresponding attack, the NoneXistent Name ServerAttack (NXNSAttack), that disrupts and may paralyzethe DNS system making it difficult or impossible for In-ternet users to access websites, web e-mail, online videochats, or any other online resource. The NXNSAttackgenerates a storm of packets between DNS resolvers andDNS authoritative name servers. The storm is producedby the response of resolvers to unrestricted referral re-sponse messages of authoritative name servers. Theattack is significantly more destructive than NXDomainattacks (e.g., the Mirai attack): i) It reaches an am-plification factor of more than 1620x on the numberof packets exchanged by the recursive resolver. ii) Inaddition to the negative cache, the attack also satu-rates the ‘NS’ resolver caches. To mitigate the attackimpact, we propose an enhancement to the recursiveresolver algorithm, MaxFetch(k), that prevents unnec-essary proactive fetches. We implemented MaxFetch(1)mitigation enhancement on a BIND resolver and testedit on real-world DNS query datasets. Our results showthat MaxFetch(1) degrades neither the recursive resolverthroughput nor its latency. Following the discovery of theattack, a responsible disclosure procedure was carriedout, and several DNS vendors and public providers haveissued a CVE and patched their systems.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Minor revision. USENIX Security 2020
Keywords
DNSDDoS attackRandom attack
Contact author(s)
yehuda afek @ gmail com
History
2020-06-23: revised
2020-06-16: received
See all versions
Short URL
https://ia.cr/2020/722
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2020/722,
      author = {Yehuda Afek and Anat Bremler-Barr and Lior Shafir},
      title = {{NXNSAttack}: Recursive {DNS} Inefficiencies and Vulnerabilities},
      howpublished = {Cryptology {ePrint} Archive, Paper 2020/722},
      year = {2020},
      url = {https://eprint.iacr.org/2020/722}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.