바로가기

Security Alert



Alert – New DNS Vulnerability Lets Attackers Launch Large-Scale DDoS Attacks 2020-06-02

Background:
Domain Name System (DNS) is a distributed database that represents a namespace. The namespace contains all of the information needed for any client to look up any name. Any DNS server can answer queries about any name within its namespace. Cybersecurity researchers have disclosed details about a new flaw impacting DNS protocol that can be exploited to launch amplified, large-scale distributed denial-of-service (DDoS) attacks to takedown targeted websites. Called “NXNSAttack” , the flaw hinges on the DNS delegation mechanism to force DNS resolvers to generate more DNS queries to authoritative servers of attackers choice, potentially causing a botnet-scale disruption to online services.

Specification of the vulnerability (NXNSAttack)::

A recursive DNS lookup happens when a DNS server communicates with multiple authoritative DNS servers in a hierarchical sequence to locate an IP address associated with a domain (e.g., www.google.com) and return it to the client. This resolution typically starts with the DNS resolver controlled by your ISPs or public DNS servers, like Google (8.8.8.8), whichever is configured with your system. The resolver passes the request to an authoritative DNS name server if its unable to locate the IP address for a given domain name. But if the first authoritative DNS name server also doesnt hold the desired records, it returns the delegation message with addresses to the next authoritative servers to which DNS resolver can query. In other words, an authoritative server tells the recursive resolver: I do not know the answer, go and query these name servers instead. And this hierarchical process goes on until the DNS resolver reaches the correct authoritative server that provides the domains IP address, allowing the user/attacker to access the desired website.

Researchers found that these large undesired overheads can be exploited to trick recursive resolvers into forcefully continuously sending a large number of packets to a targeted domain instead of legitimate authoritative servers because in order to mount the attack through a recursive resolver, the attacker must be in possession of an authoritative server.

The NXNSAttack works by sending a request for an attacker-controlled domain (e.g., attacker.com) to a vulnerable DNS resolving server, which would forward the DNS query to the attacker-controlled authoritative server. Instead of returning addresses to the actual authoritative servers, the attacker-controlled authoritative server responds to the DNS query with a list of fake server names or subdomains controlled by the threat actor that points to a victim DNS domain. The DNS server, then, forwards the query to all the nonexistent subdomains, creating a massive surge in traffic to the victim site.

Solution(Mitigation):

Rw-CSIRT is strongly recommending users to:
Update their software installations to the latest versions by following the instructions below. The latest product versions are available to end users via one of the following methods:
• Users can their product installations manually by choosing Help > Check for Updates.
• The products will automatically, without requiring user intervention, when s are detected.

For Network administrators (managed environments):
Rw-CSIRT recommends the following best practices to help safeguard networks against this threat: • If they run their own DNS servers, their DNS resolver software to the latest version.
• Implement multifactor authentication on domain registrar accounts, on administration portal or on other systems used to modify DNS records.
• Verify that DNS infrastructure (second-level domains, sub-domains, and related resource records) points to the correct Internet Protocol addresses or hostnames.
• Search for encryption certificates (SSL) related to domains and revoke any malicious certificates.
• Conduct an internal investigation to assess if attackers gained access to your environment.

Affected users should: contact RW-CSIRT: Call 4045 or write to security@risa.gov.rw

References or Vulnerability Details:
https://thehackernews.com/2020/05/dns-server-ddos-attack.html
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html
docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/reviewing-dns-concepts
https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/
- Previous Alert – Microsoft Remote Desktop Protocol (RDP) vulnerability named BlueKeep.
- Next Alert – New Variant of Ransomware called Tycoon Targets Education and Software Sectors
list