Israeli security researchers have disclosed the information about a new unfixable flaw affecting DNS protocol that can be exploited to launch amplified, large-scale distributed denial-of-service (DDoS) attacks to render inoperable targeted websites.
The new flaw dubbed NXNSAttack exploits the way DNS recursive resolvers operate when receiving NS referral response that contains nameservers but without their corresponding IP addresses.
The researchers said that “the NXNSAttack is more effective than the NXDomain attack as it reaches an amplification factor of more than 1620x on the number of packets exchanged by the recursive resolver” and that “besides the negative cache, the attack also saturates the ‘NS’ resolver caches.”
In simple words, the attack involves a malicious actor sending a DNS request to a recursive server for an attacker-controlled domain. As this recursive server does not have the authority to resolve the request, it sends a query to the authoritative DNS server (which is also attacker-controlled) for the attacker's domain. This authoritative server would return a list of fake server names or subdomains controlled by the threat actor that points to a victim DNS domain. The DNS server, then, forwards the query to all the nonexistent subdomains, creating a massive surge in traffic to the victim site.
Because NXNSAttack abuses the very basic principle of DNS protocol, it virtually means there is no fix, only mitigation, the researchers explained. However, following responsible disclosure of NXNSAttack several DNS server developers have released advisories and patches to mitigate the issue, including PowerDNS, CZ.NIC, Cloudflare, Google, Amazon, Microsoft, Oracle-owned Dyn, Verisign, and IBM Quad9.
Support the originator by clicking the read the rest link below.
