In detail, the attack exploits the way the resolvers work when receiving NS referral response that contains nameservers but without their corresponding IP addresses. In layman’s terms, this new attack, which has been dubbed NXNSAttack, impacts recursive DNS servers and the process of DNS delegation.
NXNSAttack: How Does It Work?
First of all, what is a recursive DNS server? It is a DNS system that passes DNS queries upstream with the purpose of resolving and converting them from a domain name to an IP address. The conversions are happening on authoritative DNS servers, containing a copy of the DNS record and authorized to resolve it. There is, however, a safety mechanism within the DNS protocol which allows authoritative DNS servers to delegate this operation to alternative DNS servers.
This is where the new NXNSAttack comes in place. According to researchers at the Tel Aviv University and The Interdisciplinary Center in Herzliya, Israel, there is a way to abuse the delegation process and deploy it in DDoS attacks. Following this discovery, the researchers performed a “responsible coordinated disclosure procedure”, and released their detailed report. As a result of this disclosure, a number of DNS software vendors and service providers have adopted measures to protect against the destructive measures of the NXNSAttack.
According to the report:
The NXNSAttack is a new vulnerability that exploits the way DNS recursive resolvers operate when receiving NS referral response that contains nameservers but without their corresponding IP addresses (i.e., missing glue-records). The number of DNS messages exchanged in a typical resolution process might be much higher in practice than what is expected in theory, mainly due to a proactive resolution of name-servers’ IP addresses. This inefficiency becomes a bottleneck and might be used to mount a devastating attack against either or both, recursive resolvers and authoritative servers.
It is noteworthy that the NXNSAttack appears to be more effective than the NXDomain attack due to two reasons. First, the attack reaches an amplification factor of more than 1620x on the number of packets exchanged by the recursive resolver. And second, besides the negative cache, the attack also saturates the ’NS’ resolver caches.
The researchers have been working tirelessly for months with several DNS software vendors, content delivery networks, and managed DNS providers to apply mitigations to DNS servers on a global scale.
What software is impacted by the NXNSAttack?
The vulnerabilities are located in ISC BIND, known as CVE-2020-8616); NLnet labs Unbound, known as CVE-2020-12662; PowerDNS, known as CVE-2020-10995, and CZ.NIC Knot Resolver, or CVE-2020-12667. However, commercial DNS services by Cloudflare, Google, Amazon, Oracle (DYN), Microsoft, IBM Quad9, ICANN, and Verisign are also impacted.
The good news is that patches addressing the issues are already made available. By applying them, server admins will prevent attackers from exploiting the DNS delegation process to flood other DNS servers.
In 2015, a rare DDoS on the Internet’s DNS root servers was registered. The attacks caused about five million queries per second per DNS root name server. The threat actors behind the DDoS were unknown, as the IP source addresses were easily spoofed. In addition, the source IP addresses applied in the attacks were spread in a skillful and arbitrary manner throughout the IPv4 address space.