A groundbreaking Denial of Service (DoS) attack has recently come to light, shedding light on the vulnerability of DNS queries and responses to exploitation. The new attack, coined as “DNSBomb,” harnesses various security mechanisms inherent in DNS infrastructure to launch a potent assault on targeted systems. By leveraging reliability enhancement, security protection, query aggregation, response fast-returning, and timeouts, the DNSBomb attack transforms these protective measures into effective attack vectors.
Moreover, the DNSBomb attack cleverly manipulates additional mechanisms such as accumulating low-rate DNS queries, amplifying queries into large responses, and concentrating all DNS responses into periodic bursts of high-volume traffic. This strategic approach overwhelms the targeted system, causing disruption and potential damage.
Researchers conducted a meticulous evaluation of 10 mainstream DNS software, 46 public DNS services, and over 1.8 million open DNS resolvers. Shockingly, all DNS resolvers were found to be susceptible to exploitation, amplifying the power and practicality of the DNSBomb attack. This revelation underscores the inherent vulnerabilities within current DNS infrastructure that threat actors can exploit.
Furthermore, the research unveiled that any system or mechanism, including DNS and CDN, can be manipulated to generate DoS traffic. This highlights the critical need for robust cybersecurity measures and continuous monitoring to safeguard against such sophisticated attacks.
In-depth technical analysis revealed that more than 11 Common Vulnerabilities and Exposures (CVEs) have been attributed to the DNSBomb attack. The researchers utilized the XMap Internet Scanner, a rapid network scanner designed for comprehensive IPv4 and IPv6 network research scanning, to uncover these vulnerabilities. Additionally, the study compared the DNSBomb attack to the Pulsating DoS Attack (PDoS), also known as the Shrew Attack, first proposed in 2003 by Kuzmanovic and Knightly. While the DNSBomb attack surpasses the PDoS attack in terms of potency, challenges exist in coordinating attack traffic from disparate sources, impacting the attack’s efficacy.
The threat model of the DNSBomb attack involves leveraging global open DNS resolvers to generate short, periodic pulses of traffic directed at the target server. The attacker must have the capability of IP Spoofing, with statistics indicating a significant percentage of IPv4 and IPv6 networks being identifiable as spoofable.
By purchasing a domain from any Domain registration platform and establishing a controlled nameserver, the attacker can initiate DNS queries towards exploitable resolvers, impacting servers and IP addresses of targeted victims. The threat actor can manipulate the query’s source address to direct responses to a designated IP, thereby escalating the impact of the attack.
The attack workflow of DNSBomb encompasses three primary methods: accumulating DNS queries, amplifying these queries, and concentrating DNS responses. This strategic approach involves inundating exploitable resolvers with a multitude of low-rate DNS queries, amplifying these queries into larger response packets, and concentrating the responses to produce a powerful pulsing DoS traffic flow.
To provide a comprehensive overview of this sophisticated attack technique, a detailed report has been published, outlining the attack vector, workflow, prerequisites, techniques, and other critical aspects. This invaluable resource serves as a guide for cybersecurity professionals and organizations to enhance their defense mechanisms against evolving cyber threats.
In conclusion, the emergence of the DNSBomb attack underscores the ever-evolving landscape of cyber threats and the need for proactive cybersecurity measures to mitigate risks and safeguard critical infrastructure. As threat actors continue to exploit vulnerabilities in DNS infrastructure, staying vigilant and implementing robust security protocols is paramount to defending against sophisticated attacks like DNSBomb.