DNS vulnerability that makes resolvers susceptible to DDoS attacks removed

Joint research by SIDN Labs, InternetNZ (operator of New Zealand’s .nz domain) and USC Information Sciences Institute (US) has localised and resolved a vulnerability in the Domain Name System. The vulnerability meant that malicious actors could potentially use DNS resolvers to mount large-scale DDoS attacks on top-level domains (TLDs) and other authoritative DNS operators. Since learning of the issue from the researchers, Google has removed the vulnerability from Google Public DNS, one of the world’s most popular public DNS resolvers. The researchers are calling on other DNS server and resolver operators to check whether their systems have the same weakness and, if they do, to rectify the situation urgently.

DDoS attacks based on endless exchange of DNS queries

Dubbed tsuNAME by the researchers, the vulnerability makes it possible to mount DDoS attacks by exploiting pairs of name server records that point to each other. That situation is known in the industry as a ‘cyclic dependency’. Attackers can exploit cyclic dependencies by getting vulnerable resolvers to send large volumes of queries to authoritative name servers. If a resolver doesn’t detect the dependency, it will endlessly send DNS queries back and forth between the servers for the two domain names. The researchers identified a number of resolvers that were liable to get stuck in such loops for hours on end.

Where a resolver also doesn’t cache mutually dependent NS records, the issue can support a major DDoS attack. In a situation like that, the resolver will contact the authoritative server much more often than if the records are cached, substantially increasing the volume of traffic to, for example, a TLD operator’s DNS servers. If cyclic dependencies exist, the activity will continue indefinitely. The DNS uses caches to manage the load on authoritative servers and make the system scalable.

Responsible disclosure

Since February, the team has been engaged in a ‘responsible disclosure‘ process, quietly warning as many operators as possible about the vulnerability. Internationally standardised timelines were followed. Public disclosure was made today at the DNS-OARC workshop and on https://tsuname.io, the official website for the vulnerability.

A few experts have known about the vulnerability for a while, but until now there has been insufficient measured data available for the problem to be localised and resolved. The team’s measurement study has now provided the necessary data.

Solution for the vulnerability

The vulnerability can be removed by installing an additional code sequence that enables resolvers to detect cyclic dependencies and interrupt loops. An appropriate piece of code has to be provided by the resolver software’s producer. Recent versions of many resolver programs are no longer vulnerable to tsuNAME. Older versions remain susceptible, however, as explained in the researchers’ Security Advisory.

Authoritative DNS server operators can also make use of an open-source tool called CycleHunter. Specially developed by the research team and significantly improved by the DNS community, the tool flags up cyclic dependencies between domain names in the user’s zone. The researchers emphasise that NS records can change at any time, making it advisable to scan several times a day in order to minimise the impact of misconfigurations. The Security Advisory also sets out a step-by-step problem resolution plan for authoritative DNS operators to follow.

Google Public DNS

As highlighted in the researchers’ technical report, Google Public DNS was found to be the main source of repetitive queries in many cases. The issue was therefore drawn to Google’s attention, and has since been fixed. Analysis performed on 9 February by researchers at SIDN Labs, InternetNZ and USC Information Sciences Institute confirmed that the previously observed DNS vulnerability was no longer present on Google’s public DNS resolver. Cisco has also fixed its OpenDNS software.

Potential impact

SIDN Labs’ Data Scientist Giovane Moura explained, “We are dedicated to promoting the security and stability of the internet infrastructure in the Netherlands, Europe and beyond. The detected vulnerability has the potential to cause serious problems. The project also emphasises the importance of collaboration in this field. After all, it isn’t only the .nl domain that is potentially at risk from this vulnerability. It could cause major difficulties for all top-level domains. As any large DDoS, an attack that exploited the weakness we detected could stop people accessing the online services of banks, governments and online stores, for example.”

This message is taken from SIDN Labs, read it here