Post on 16-Oct-2020
NXNSAttack: Recursive DNS
Inefficiencies and VulnerabilitiesYehuda Afek Anat Bremler-Barr Lior Shafir
Tel-Aviv University Interdisciplinary Center Herzelia Tel-Aviv University
1
• DNS System - Overview
• NXNSAttack: New Vulnerability:
• Several variants
• Mitigation and measurements
• Responsible Disclosure
• Conclusions
Outline
2
• DNS System - Overview
• NXNSAttack: New Vulnerability:
• Several variants
• Mitigation and measurements
• Responsible Disclosure
• Conclusions
Outline
3
NXNSAttack Vulnerability in the Wild
4
Vendors
ServiceProviders
DNS DoSed Internet useless
5
DNS System
Amazon
gmail
Zoom
NYTimesfacebook
My.Bank.com
Yahoo
Google.com
My web site
Internet
6
zoom.us’s
zoom us
Recursive Resolvers
Authoritative Servers
.edu .com .us .net
TLDs
cs.ucla.edu
ns.ucla.edu
SLDs
7
DNS System RFC 1034Paul Mockapetris
USC.edu
Distributed, Hierarchical,> 10 Million servers
root
NS.getty.edu
ns.ISI.edu
DNS System
Recursive Resolver
.edu
cs.ucla.edu
1 rqst3 pkts x 2
Empty cache
.edu .com .us .net
TLDs
root
8
ns.ucla.edu
SLDs
USC.edu NS.getty.edu
ns.ISI.edu
cs.ucla.edu
DNS system [RFC 1034, Mockapetris 1987]
Requirements
• High Availability, 24x7, Fault tolerant
• Quick response
• Low communication overhead
• Authenticate
9
High Availability 1
Recursive Resolver
.edu.edu .com .us .net
TLDs
root
Empty cache
ns.ucla.edu
SLDs
10USC.edu
ns.ISI.edu
NS.getty.edu
cs.ucla.edu ??
Recursive Resolver
High Availability 2
.edu.edu .com .us .net
TLDs
Empty cache
cs.ucla.edu ??
ns.ucla.edu
SLDs
USC.edu NS.getty.edu
ns.ISI.edu
root
Referral Response
Recursive Resolver
High Availability 3
.edu.edu .com .us .net
TLDs
Empty cache
cs.ucla.edu ??
ns.ucla.edu
SLDs
USC.edu NS.getty.edu
ns.ISI.edu
What is the NS IP address?
root
Recursive Resolver
.edu TLD
.net
TLDscs.ucla.edu ??
A request cs.ucla.edu
ucla.edu NS ns1.ucla.netucla.edu NS ns2.ucla.netucla.edu NS ns3.ucla.netucla.edu NS ns4.ucla.netno glue records
‘A` request ns1.ucla.net‘A` request ns2.ucla.net‘A` request ns3.ucla.net‘A` request ns4.ucla.net
Empty cache
13
Referral Response&Glue Records
Which referred NS is the
Quickest ?
ns1.ucla.net
ns1.ucla.edu NS ns1.ucla.netns4.ucla.edu NS ns2.ucla.netns4.ucla.edu NS ns3.ucla.netns4.ucla.edu NS ns4.ucla.netns1.ucla.net A 208.87.1.81ns1.ucla.net A 208.87.1.82ns1.ucla.net A 193.4.10.1ns1.ucla.net A 208.76.1.81
ns1.ucla.edu NS ns1.ucla.netns4.ucla.edu NS ns2.ucla.netns4.ucla.edu NS ns3.ucla.netns4.ucla.edu NS ns4.ucla.netns1.ucla.net A 208.87.1.81ns1.ucla.net A 208.87.1.82ns1.ucla.net A 193.4.10.1ns1.ucla.net A 208.76.1.81
ns1.ucla.edu NS ns1.ucla.netns4.ucla.edu NS ns2.ucla.netns4.ucla.edu NS ns3.ucla.netns4.ucla.edu NS ns4.ucla.netns1.ucla.net A 208.87.1.81ns1.ucla.net A 208.87.1.82ns1.ucla.net A 193.4.10.1ns1.ucla.net A 208.76.1.81
ns4.ucla.net NS ns1.ucla.netns4.ucla.net NS ns2.ucla.netns4.ucla.net NS ns3.ucla.netns4.ucla.net NS ns4.ucla.netns1.ucla.net A 208.87.1.81ns2.ucla.net A 208.87.1.82ns3.ucla.net A 193.4.10.1ns4.ucla.net A 208.76.1.81
13
ns2.ucla.net
ns3.ucla.net ns4.ucla.net
14
Practice:1 rqst microsoft.com
54 (126) pkts !!
Theory: 1 rqst3 pkts x 2
NXNSAttack
Recursive Resolver
.attacker.com
.net
TLDs
NS.UCLA.edu
NS.ISI.edu
Ns.getty.eduUSC.e
xre.attacker.com ns1.fake1.netns2.fake8.netns3.fake3.net
ns.fake135.net
Packet Amplification factor𝟏𝟑𝟓∗𝟐∗𝟐∗𝟔
𝟐= 1620
15
BIND
IPv4 & IPv6
Send & Receive
TCP – O/H Attacker cost
Variant #1:on TLD
NXNSAttack
Recursive Resolver
.attacker.com
.net
TLDs
NS.UCLA.edu
NS.ISI.edu
Ns.getty.eduUSC.e
xre.attacker.com ns1.fake1.netns2.fake8.netns3.fake3.net
ns.fake135.net
Packet Amplification factor𝟏𝟑𝟓∗𝟐∗𝟐∗𝟔
𝟐= 1620
16
BIND
IPv4 & IPv6
Send & Receive
TCP – O/H Attacker cost
Bot
Variant #1:on TLD
Recursive Resolver
Ns.getty.eduUSC.e
xyz.attacker.com
NXNSAttack !! TLD focus (.com)
NS.UCLA.edu
.COM
17
.attacker.com
TLDs
Other Variations
18
Recursive Resolver
.COM
TLDs
NS.ISI.edu
Ns.getty.eduUSC.e
xyz.attacker.com
37X 4 = 148/2=74
NXNSAttack !! on SLD
19NO TCP – O/H
NS.UCLA.edu
.attacker.com(NS.ucla.edu)
Bot
Recursive Resolver
.COM
TLDs
NS.ISI.edu
Ns.getty.eduUSC.e
xyz.attacker.com
37X 4 = 148/2=74
NXNSAttack !! on SLD
20NO TCP – O/H
NS.UCLA.edu
.attacker.com(NS.ucla.edu)
Bot
Recursive Resolver
TLDs
Ns.getty.eduUSC.e
xyz.attacker.com
NXNSAttack !! SLD focus
NS.UCLA.edu21
.attacker.com
NS.ucla.edu
Recursive Resolver
Ns.getty.edu
USC.e
xyz.attacker.com
NXNSAttack !! Resolver focus
NS.UCLA.edu22
.attacker.com
NXNSAttack !! 𝐅𝟐 on ROOT
Recursive Resolver
ROOts
xyz.attacker.com
Packet Amplification factor= 3200 !! On root !!
74
.attacker.com TLD
23
Packets Processed = 74•135•2•2•6=239,760 !!!
74 x 135 x 2 = 19,980 RQSTs
Bot
Acquiring / controlling an Authoritative
• Option 1: $1 and 5 minutes, to acquire a new domain name
Dynamic association with any Authoritative
• Option 2: DNS hijacking attacks
Gain operators’ credentials to manipulate zone-files
24
Amplifications in the wild
Mitigation
26# Name Servers / referral resp.
• MaxFetch(k) – Resolve NS-names k at a time, not all at once
– Amortized on several queries
• MaxBreadth – bound # of NS-names per referral response
• Detect NX NS replies (NLnetLabs)
• DNSSEC – NSEC (Petr Špaček)
Mitigation
27
• MaxFetch(k) – Resolve NS-names k at a time, not all at once
– Amortized on several queries
• MaxBreadth – bound # of NS-names per referral response
• Detect NX NS replies (NLnetLabs)
• DNSSEC – NSEC (Petr Špaček)
• Going only downwards in the DNS hierarchy (draft rfc)
MaxFetch(1) on Normal Operation
Recursive Resolver
.edu TLD
..edu .net
TLDscs.ucla.edu
ns1.dns.ucla.edu
28
MaxFetch(1)
ns2.dns.ucla.eduns3.dns.ucla.edu
ns4.dns.ucla.edu
ns1.dns.ucla.edu
SLDs
ns2.dns.ucla.edu
MaxFetch(1), Amplification down 743
29
743
MaxFetch(1) no effect on latency• No observed failures
• Latency slightly improved !!
30
Responsible Disclosure
31
February18
May 19
June5
Emb
argo
ConfirmedEmbargo
Patched & Updated
1 Expected RewardBug Bounty
Conclusions
• Mirai X 800 !!
• Worrisome, Fatal flaw
• Could there be another similar flaw?
• Formal/automatic verification methods
• Trade offs: Availability Vulnerability
Response time Vulnerability
• Re-design 32
Thank you
33
http://cyber-security-group.cs.tau.ac.il/