Threat Alert

by IthacaLabs™

THREAT LEVEL/High 21/05/2020

New Vulnerability In DNS Servers That Can Be Abused To Launch DDoS Attacks of Massive Proportions

Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a new a vulnerability in DNS servers that can be abused to launch DDoS attacks of massive proportions, has been identified.

The vulnerability dubbed as NXNSAttack (CVE-2020-12662), exploits the way DNS recursive resolvers operate when receiving NS referral response that contains name servers, but without their corresponding IP addresses (i.e., missing glue-records).

Recursive DNS servers are DNS systems that pass DNS queries upstream in order to be resolved and converted from a domain name into an IP address.

The number of DNS messages exchanged in a typical resolution process might be much higher in practice than what is expected in theory, mainly due to a proactive resolution of name-servers’ IP addresses.

This inefficiency becomes a bottleneck and might be used to mount a devastating attack against either or both, recursive resolvers and authoritative servers.

NXNSAttack technique has different facets and variations, but the basic steps are explained in four steps:

1) An attacker sends a DNS query to a recursive DNS server. The request is for a domain like “attacker.com,” which is managed through an attacker-controlled authoritative DNS server.
2) Since the recursive DNS server is not authorized to resolve this domain, it forwards the operation to the attacker’s malicious authoritative DNS server.
3) The malicious DNS server replies to the recursive DNS server with a message that equates to “I’m delegating this DNS resolving operation to this large list of name servers.” The list contains thousands of subdomains for a victim website.
4) The recursive DNS server forwards the DNS query to all the subdomains on the list, creating a surge in traffic for the victim’s authoritative DNS server.

Several DNS software vendors and service providers have adopted measures to protect against the destructive measures of the NXNSAttack.

CVE(s)

CVE-2020-12662

Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an “NXNSAttack” issue. This is triggered by random subdomains in the NSDNAME in NS records.

Affected Systems

N/A

Recommendation(s)

It’s highly recommended that network administrators who run their own DNS servers update their DNS resolver software to the latest version.

You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

References

Get the latest Threat Alerts in your inbox.