• Home
  • About
  • Services
  • Partners
  • Products
  • News
  • Contact
May 21, 2020 by dom

New DNS Vulnerability – NXNSAttack

New DNS Vulnerability – NXNSAttack
May 21, 2020 by dom

A new vulnerability on DNS has been published today, called NXNSAttack.

Hopefully the patches for most vendors are already available. EfficientIP servers with DNS Guardian solution and incorporated “rescue mode” are already protected from the impact.

The vulnerability is very well documented by Lior Shafir, Yehuda Afek and Anat Bremler-Barr in this paper – http://www.nxnsattack.com/shafir2020-nxnsattack-paper.pdf

The opening abstract from the article is as follows:

ABSTRACT

The Domain Name System (DNS) infrastructure, a most critical system the Internet depends on, has re- cently been the target for different DDoS and other cyber-attacks, e.g., the notorious Mirai botnet.

While these attacks can be destructive to both recursive and authoritative DNS servers, little is known about how recursive resolvers operate under such attacks (e.g., NX- Domain, water-torture).

In this paper, we point out a new vulnerability and show an attack, the NXNSAttack, that exploits the way DNS recursive resolvers operate when receiving NS referral response that contains name- servers but without their corresponding IP addresses (i.e., missing glue-records).

We show that the number of DNS messages exchanged in a typical resolution process might be much higher in practice than what is expected in the- ory, mainly due to a proactive resolution of name-servers’ IP addresses.

We show how this inefficiency becomes a bottleneck and might be used to mount a devastating attack against either or both, recursive resolvers and authoritative servers.

The NXNSAttack is more effective than the NXDomain attack: i) It reaches an amplifica- tion factor of more than 1620x on the number of packets exchanged by the recursive resolver. ii) Besides the neg- ative cache, the attack also saturates the ‘NS’ resolver caches.

In an attempt to mitigate the attack impact, we propose enhancements to the recursive resolvers algo- rithm to prevent unnecessary proactive fetches.

Finally, we implement our Max1Fetch enhancement on the BIND resolver and show that Max1Fetch does not degrade the recursive resolvers performance, throughput and latency, by testing it on real-world traffic data-sets.

Previous articlePlatinum Partner Status attained with ApstraNext article Kentik Strengthens Asia-Pacific Growth with TDS Partnership

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

About The Blog

There is always news. Be it new products, new features or just something relevant to the industry. You’ll find regular updates from TDS here.

Recent Posts

The Need for a DDI SolutionNovember 28, 2022
IDC 2022 Global DNS Threat ReportOctober 12, 2022
TDS Signs with AprecommSeptember 23, 2022

Categories

  • DDI
  • Intent Based Networking
  • Networking
  • News
  • Security
  • Service Providers
  • Single Pain of Glass
  • Visibility
  • Wireless

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Tags

1G 10G Apstra Automation Capsa Colasoft Data Centre DDI Device42 DHCP Discovery DNS DNS Load Balancing EfficientIP Intent Based Networking IoT IOTA IPAM Kentik Log4j Network Analysis Networking Network Monitoring Network Transformation NXNSAttack Packet Capture ProfiTap Quality of Experience Security Service Provider Troubleshooting Virtual Environment Visbility VM Wireless

 

TDS.
Proudly built by TDS
Copyright 2019

 

86 Weston Street, Parramtta
+61 2 8007 5850
info@techno-ds.com

TDS

Recent Posts

The Need for a DDI SolutionNovember 28, 2022
IDC 2022 Global DNS Threat ReportOctober 12, 2022
TDS Signs with AprecommSeptember 23, 2022

Categories

  • DDI
  • Intent Based Networking
  • Networking
  • News
  • Security
  • Service Providers
  • Single Pain of Glass
  • Visibility
  • Wireless

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org