Cybersecurity researchers at Tsinghua University have unveiled a groundbreaking and potent Denial of Service (DoS) attack, dubbed “DNSBomb,” that poses a significant threat to internet infrastructure. This attack leverages inherent mechanisms of the Domain Name System (DNS) to create a powerful pulsing DoS attack.
Understanding DNSBomb: A Modern Twist on a Classic Technique
DNSBomb is a variation of a 2003 DDoS attack technique that used TCP pulses. It re-implements this concept using modern DNS software and infrastructure, such as recursive resolvers and authoritative nameservers. The attack works by sending a slow trickle of modified DNS requests to DNS servers, which then amplify the packet size and withhold the responses. These responses are released all at once in a high-volume pulse aimed at a target, causing severe disruption.
Alarming Findings from Extensive Evaluations
Both Tsinghua University and FireXCore researchers extensively evaluated DNSBomb across 10 mainstream DNS software, 46 public DNS services, and approximately 1.8 million open DNS resolvers. The results were alarming: all tested DNS resolvers could be exploited to launch more powerful DNSBomb attacks than previous pulsing DoS attacks. Small-scale experiments demonstrated that the peak pulse magnitude could approach 8.7 Gbps, with a bandwidth amplification factor exceeding 20,000 times.
These findings highlight DNSBomb’s potential to cause significant disruption to global internet services. The attack shows how vulnerabilities in DNS infrastructure can be devastatingly exploited, putting DNSBomb in the sights of DDoS botnet herders and DDoS-for-hire services.
Mitigation and Industry Response
In response to the discovery, researchers have proposed effective mitigation solutions and responsibly reported their findings to all affected vendors. To date, 24 vendors, including BIND, Unbound, PowerDNS, and Knot, are actively patching their software using the provided solutions. Additionally, 10 CVE-IDs have been assigned to address the vulnerabilities exploited by DNSBomb:
Industry-wide: CVE-2024-33655
Knot: CVE-2023-49206
Simple DNS Plus: CVE-2023-49205
Technitium: CVE-2023-28456, CVE-2023-49203
MaraDNS: CVE-2023-49204
Dnsmasq: CVE-2023-28450, CVE-2023-49207
CoreDNS: CVE-2023-28454, CVE-2023-49202
SDNS: CVE-2023-49201
FireXCore emphasizes that any system capable of aggregating data, such as DNS and Content Delivery Networks (CDNs), could be exploited to construct pulsing DoS traffic. The cybersecurity community is urged to join efforts in further investigating and mitigating the DNSBomb threat. These findings underscore the importance of continuous vigilance and innovation in the face of evolving cyber threats.
Protecting Against the DNSBomb DoS Attack
To protect against the DNSBomb DoS attack, organizations should implement robust network security measures and stay informed about the latest threats and vulnerabilities. Regular updates and patches for DNS software, along with proactive monitoring and incident response strategies, are crucial for mitigating the risks associated with DNSBomb and similar cyber threats.
Tools:
XMap: The Internet Scanner
Stay updated with FireXCore on the latest in cybersecurity to safeguard your digital assets and stay ahead of potential threats. Subscribe to our newsletter for more insights and updates on the evolving landscape of cyber threats and security measures.
