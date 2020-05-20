Researchers have shown that the number of DNS messages exchanged in a normal resolution process can be much larger in practice. This inefficiency can create a serious bottleneck and can be used to carry out a devastating attack on both a DNS recursive resolver as against a authoritative server.

A DNS vulnerability could have knocked down the Internet at any time

A recursive DNS lookup occurs when a DNS server communicates with multiple DNS servers in an ordered sequence to locate an IP address associated with a domain. If you have not modified your DNS resolver, then you will have your operator’s, but many users use other servers such as Google or Cloudflare.

The resolver sends the request to the authoritative server if it cannot locate the IP of a domain. If it can’t find it, it goes to the next server until it can solve it and allow access to the desired website. The researchers found that they can take advantage of this mechanism to send requests with a large number of packets to a specific domain instead of to authoritative servers.

In order to carry out the attack, the process is as follows:

First, the attacker sends a DNS query to a recursive DNS server. The solution is for an attacker-controlled domain, which can be “attacker.com”. Then, because the recursive DNS server is not authorized to resolve the domain, it forwards the operation to a malicious authoritative DNS server owned by the attacker.

The malicious DNS server responds to the recursive server with a message like “I am delegating DNS resolution to this list of servers.” This listing contains a list of thousands of subdomains on the victim’s website. Finally, the recursive DNS server forwards the DNS query to all the subdomains in the list, causing traffic to fire on the victim’s authoritative DNS server.

Thus, the attack can amplify the number of packets exchanged in 1,620 times, saturating not only the DNS resolver with more requests than it can handle, but also causing the attacker’s website to crash. And with a botnet, the effects can be devastating, as they could bring down DNS servers as big as Google or DynDNS, which already caused enormous chaos a few years ago.

Major DNS resolvers have patched the bug

Before publishing the existence of the vulnerability, the researchers contacted the top DNS solvers on the market and the main companies behind the Internet infrastructure, among which are Cloudflare, Google, Amazon, Microsoft, PowerDNS, CZ.NIC, Dyn, Verisign and IBM. They have all released patches to fix the vulnerability.

DDoS attacks are becoming more dangerous as there are more and more IoT devices with poor protections, but with access to high-speed connections. These vulnerable devices become part of botnets like Mirai, made up of tens of thousands and even hundreds of thousands of devices that can throw away any service.