DNS Flaw Can Be Exploited for DDoS AttacksResearchers Release Open-Source Detection Tool
Security researchers have uncovered a flaw dubbed TsuNAME in DNS resolver software that can be used to carry out distributed denial-of-service attacks against authoritative DNS servers. Google and Cisco have resolved the issue in their DNS servers.
Authoritative DNS servers are the final holder of the IP of a domain, responsible for providing details about specific websites to DNS servers, including information on domain names and IP addresses. The security researchers, Giovane C. M. Moura, Sebastian Castro, John Heinemann and Wes Hardaker, note the flaw affects DNS resolvers, which play a key role in converting web links to IP addresses in authoritative DNS servers.
On a vulnerable authoritative DNS server, the flaw creates a traffic loop, causing a surge in its total traffic from 800 million to 1.2 billion daily queries, the report notes.
"Resolvers vulnerable to TsuNAME will send non-stop queries to authoritative servers that have cyclic dependent records. Once vulnerable recursive resolvers encounter cyclic dependent records, they will begin to loop, and when the authoritative servers receive this traffic, that can ultimately become a DDoS," the researchers say.
"This is not theoretical, and has happened multiple times in the past - we have evidence of it happening at least with four ccTLDs (country code top-level domains) and one gTLD (generic top-level domain)."
The researchers' open-source tool, called CycleHunter, can be used to detect cyclic dependencies. Flaws in Google Public DNS and Cisco DNS were immediately addressed when the researchers notified Google and Cisco. The researchers say other DNS service providers may also be vulnerable.
The researchers note TsuNAME is caused by three main factors:
- Cyclic dependent name server records: Cyclic dependency in software is created when two or more modules depend on each other. TsuNAME results from a cyclic dependency created by a configuration error in name server, or NS, records. The configuration error results in two components pointing to each other in the name server records.
- Vulnerable recursive resolvers: A resolver encounters cyclic dependency and then fails to detect the cycle, resulting in nonstop looping.
- User queries to start/drive the process: When a user runs a new application, it triggers queries, which then amplify the impact of the traffic cycle.
Once the flaw is identified, users can fix the configuration error in the NS record and eliminate any cyclic dependency, the researchers say. But because the NS records can change at any time, there is no permanent solution. "We therefore also recommend that registrars run CycleHunter on a regular basis, for instance, as part of their domain name registration process," the researchers state.
Researchers are increasingly searching for DNS vulnerabilities because DNS attacks are on the rise.
For example, last month, Forescout Research Labs and the Israeli security firm JSOF found nine DNS vulnerabilities affecting four TCP/IP stacks that, if exploited, could lead to remote code execution or denial-of-service attacks on millions of devices (see: Millions of Devices Potentially Vulnerable to DNS Flaws).
In November 2020, researchers from the University of California at Riverside and Tsinghua University in Beijing identified a new type of DNS cache poisoning attack called SAD DNS, which is used in spoofing attacks (see: Brace for DNS Spoofing: Cache Poisoning Flaws Discovered).
And earlier last year, the security firm Black Lotus Labs found that attackers were using unsecured DNS protocols for communication between infected POS devices and their command-and-control servers to exfiltrate data (see: POS Malware Using DNS to Steal Payment Card Data).
In March, the U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency released guidance on how to choose and deploy a Protective Domain Name System service to strengthen security (see: Tips on Selecting a Protective DNS Service).