• Home
  • About
  • Services
  • Partners
  • Products
  • News
  • Contact
May 21, 2020 by dom

New DNS Vulnerability – NXNSAttack

New DNS Vulnerability – NXNSAttack
May 21, 2020 by dom

A new vulnerability on DNS has been published today, called NXNSAttack.

Hopefully the patches for most vendors are already available. EfficientIP servers with DNS Guardian solution and incorporated “rescue mode” are already protected from the impact.

The vulnerability is very well documented by Lior Shafir, Yehuda Afek and Anat Bremler-Barr in this paper – http://www.nxnsattack.com/shafir2020-nxnsattack-paper.pdf

The opening abstract from the article is as follows:

ABSTRACT

The Domain Name System (DNS) infrastructure, a most critical system the Internet depends on, has re- cently been the target for different DDoS and other cyber-attacks, e.g., the notorious Mirai botnet.

While these attacks can be destructive to both recursive and authoritative DNS servers, little is known about how recursive resolvers operate under such attacks (e.g., NX- Domain, water-torture).

In this paper, we point out a new vulnerability and show an attack, the NXNSAttack, that exploits the way DNS recursive resolvers operate when receiving NS referral response that contains name- servers but without their corresponding IP addresses (i.e., missing glue-records).

We show that the number of DNS messages exchanged in a typical resolution process might be much higher in practice than what is expected in the- ory, mainly due to a proactive resolution of name-servers’ IP addresses.

We show how this inefficiency becomes a bottleneck and might be used to mount a devastating attack against either or both, recursive resolvers and authoritative servers.

The NXNSAttack is more effective than the NXDomain attack: i) It reaches an amplifica- tion factor of more than 1620x on the number of packets exchanged by the recursive resolver. ii) Besides the neg- ative cache, the attack also saturates the ‘NS’ resolver caches.

In an attempt to mitigate the attack impact, we propose enhancements to the recursive resolvers algo- rithm to prevent unnecessary proactive fetches.

Finally, we implement our Max1Fetch enhancement on the BIND resolver and show that Max1Fetch does not degrade the recursive resolvers performance, throughput and latency, by testing it on real-world traffic data-sets.

Previous articlePlatinum Partner Status attained with ApstraNext article Kentik Strengthens Asia-Pacific Growth with TDS Partnership

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

About The Blog

There is always news. Be it new products, new features or just something relevant to the industry. You’ll find regular updates from TDS here.

Recent Posts

How DDI Helps Higher Education Surf the Network Automation WaveSeptember 26, 2023
New 2023 IDC Report: DNS Threat Intelligence for Proactive DefenceSeptember 26, 2023
Improve Application Connectivity & Performance Visualisation with a TDS Solution set.July 25, 2023

Categories

  • DDI
  • Intent Based Networking
  • Networking
  • News
  • Security
  • Service Providers
  • Single Pain of Glass
  • Visibility
  • Wireless

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Tags

10G API Application Performance Apstra Automated Network Management Automation Capsa Colasoft Cyberthreat Data Theft DDI Device42 DHCP Discovery DNS DNS Attack DNS Load Balancing DNS Security Enterprise Network Security Hybrid Networks IoT IOTA IP Address Management IPAM IPv6 Network Analysis Networking Network Monitoring Network Source of Truth Network Transformation ProfiTap Quality of Experience Ransomware SaaS Security Service Provider Threat Intelligence Threat Report Troubleshooting Virtual Environment Visbility VM Wireless Zero touch Zero Trust

 

TDS.
Proudly built by TDS
Copyright 2019

 

86 Weston Street, Parramtta
+61 2 8007 5850
info@techno-ds.com

TDS

Recent Posts

How DDI Helps Higher Education Surf the Network Automation WaveSeptember 26, 2023
New 2023 IDC Report: DNS Threat Intelligence for Proactive DefenceSeptember 26, 2023
Improve Application Connectivity & Performance Visualisation with a TDS Solution set.July 25, 2023

Categories

  • DDI
  • Intent Based Networking
  • Networking
  • News
  • Security
  • Service Providers
  • Single Pain of Glass
  • Visibility
  • Wireless

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org