In May, the Tel Aviv University published findings of a new type of DNS Deliberate Denial of Service (DDoS) attack called a NXNSAttack – a vulnerability in DNS servers that can be abused to launch this DNS DDoS attack on a huge scale.
An NXNSAttack works as follows:
1) An attacker sends a DNS query to a recursive DNS server for a random domain name managed through an attacker-controlled authoritative DNS server.
2) As the recursive DNS server is not authorized to resolve the domain name query, it forwards the operation to the attacker’s malicious authoritative DNS server.
3) The malicious DNS server replies to the recursive DNS server with a message and queries thousands of the victim’s website subdomains, creating a surge in traffic for the victim’s authoritative DNS server.
According to the Tel Aviv University, an NXNSAttack can amplify a simple DNS query from 2 to 1,620 times its initial size, creating a temporary spike in traffic that can take down an intended targets DNS server. It is probably one of the most significant new DNS DDoS Attacks discovered in several years.
Impacted software includes the likes of ISC BIND (CVE-2020-8616), NLnet labs Unbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), and CZ.NIC Knot Resolver (CVE-2020-12667), but also commercial DNS services provided by companies like Cloudflare, Google, Amazon, Microsoft, Oracle (DYN), Verisign, IBM Quad9, and ICANN.
Wired reported that in 2016 a similar botnet hacked security cameras and internet routers called Mirai aimed a gargantuan flood of junk traffic at the servers of Dyn, one of the companies that provides the global directory for the web known as the Domain Name System or DNS. The attack took down Amazon, Reddit, Spotify, and Slack temporarily for users along the East Coast of the US.
Patches have since been released and are continuing to be updated, and this is yet another risk being managed through cooperation of the giants of the Internet landscape.