DDoS Protection , Governance & Risk Management , IT Risk Management

DNS Flaw Can Be Exploited for DDoS Attacks

Researchers Release Open-Source Detection Tool
DNS Flaw Can Be Exploited for DDoS Attacks

Security researchers have uncovered a flaw dubbed TsuNAME in DNS resolver software that can be used to carry out distributed denial-of-service attacks against authoritative DNS servers. Google and Cisco have resolved the issue in their DNS servers.

See Also: New Gartner® Report on Zero Trust Network Access

The researchers at SIDN Labs, InternetNZ and the University of Southern California released an open-source tool to detect the vulnerability.

Authoritative DNS servers are the final holder of the IP of a domain, responsible for providing details about specific websites to DNS servers, including information on domain names and IP addresses. The security researchers, Giovane C. M. Moura, Sebastian Castro, John Heinemann and Wes Hardaker, note the flaw affects DNS resolvers, which play a key role in converting web links to IP addresses in authoritative DNS servers.

On a vulnerable authoritative DNS server, the flaw creates a traffic loop, causing a surge in its total traffic from 800 million to 1.2 billion daily queries, the report notes.

"Resolvers vulnerable to TsuNAME will send non-stop queries to authoritative servers that have cyclic dependent records. Once vulnerable recursive resolvers encounter cyclic dependent records, they will begin to loop, and when the authoritative servers receive this traffic, that can ultimately become a DDoS," the researchers say.

"This is not theoretical, and has happened multiple times in the past - we have evidence of it happening at least with four ccTLDs (country code top-level domains) and one gTLD (generic top-level domain)."

The researchers' open-source tool, called CycleHunter, can be used to detect cyclic dependencies. Flaws in Google Public DNS and Cisco DNS were immediately addressed when the researchers notified Google and Cisco. The researchers say other DNS service providers may also be vulnerable.

The Vulnerability

The researchers note TsuNAME is caused by three main factors:

  • Cyclic dependent name server records: Cyclic dependency in software is created when two or more modules depend on each other. TsuNAME results from a cyclic dependency created by a configuration error in name server, or NS, records. The configuration error results in two components pointing to each other in the name server records.
  • Vulnerable recursive resolvers: A resolver encounters cyclic dependency and then fails to detect the cycle, resulting in nonstop looping.
  • User queries to start/drive the process: When a user runs a new application, it triggers queries, which then amplify the impact of the traffic cycle.

Once the flaw is identified, users can fix the configuration error in the NS record and eliminate any cyclic dependency, the researchers say. But because the NS records can change at any time, there is no permanent solution. "We therefore also recommend that registrars run CycleHunter on a regular basis, for instance, as part of their domain name registration process," the researchers state.

DNS Attacks

Researchers are increasingly searching for DNS vulnerabilities because DNS attacks are on the rise.

For example, last month, Forescout Research Labs and the Israeli security firm JSOF found nine DNS vulnerabilities affecting four TCP/IP stacks that, if exploited, could lead to remote code execution or denial-of-service attacks on millions of devices (see: Millions of Devices Potentially Vulnerable to DNS Flaws).

In November 2020, researchers from the University of California at Riverside and Tsinghua University in Beijing identified a new type of DNS cache poisoning attack called SAD DNS, which is used in spoofing attacks (see: Brace for DNS Spoofing: Cache Poisoning Flaws Discovered).

And earlier last year, the security firm Black Lotus Labs found that attackers were using unsecured DNS protocols for communication between infected POS devices and their command-and-control servers to exfiltrate data (see: POS Malware Using DNS to Steal Payment Card Data).

In March, the U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency released guidance on how to choose and deploy a Protective Domain Name System service to strengthen security (see: Tips on Selecting a Protective DNS Service).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.