DNSBomb DoS Attack
  • By manager
  • Last updated: August 28, 2024

DNSBomb DoS Attack: A New Challenge for Network Security

Cybersecurity researchers at Tsinghua University have unveiled a groundbreaking and potent Denial of Service (DoS) attack, dubbed “DNSBomb” that poses a significant threat to internet infrastructure. This attack leverages inherent mechanisms of the Domain Name System (DNS) to create a powerful pulsing DoS attack.

Understanding DNSBomb: A Modern Twist on a Classic Technique

The Domain Name System (DNS) is a fundamental technology that serves as the internet’s phonebook, translating human-readable domain names like www.example.com into numerical IP addresses that computers use to communicate with each other. DNS ensures that users can easily access websites without needing to memorize complex numeric addresses. It operates through a distributed network of servers worldwide, which work together to resolve queries efficiently and reliably. DNS is critical for the functionality of the internet, affecting everything from website accessibility to email delivery and overall internet security.

DNS-Bomb is a variation of a 2003 DDoS attack technique that used TCP pulses. It re-implements this concept using modern DNS software and infrastructure, such as recursive resolvers and authoritative nameservers. The attack works by sending a slow trickle of modified DNS requests to DNS servers, which then amplify the packet size and withhold the responses. These responses are released all at once in a high-volume pulse aimed at a target, causing severe disruption.

Alarming Findings from Extensive Evaluations

Both Tsinghua University and FireXCore researchers extensively evaluated DNS-Bomb across 10 mainstream DNS software, 46 public DNS services, and approximately 1.8 million open DNS resolvers. The results were alarming: all tested DNS resolvers could be exploited to launch more powerful DNSBomb attacks than previous pulsing DoS attacks. Small-scale experiments demonstrated that the peak pulse magnitude could approach 8.7 Gbps, with a bandwidth amplification factor exceeding 20,000 times.

These findings highlight DNSBomb’s potential to cause significant disruption to global internet services. The attack shows how vulnerabilities in DNS infrastructure can be devastatingly exploited, putting DNS-Bomb in the sights of DDoS botnet herders and DDoS-for-hire services.

Mitigation and Industry Response

In response to the discovery, researchers have proposed effective mitigation solutions and responsibly reported their findings to all affected vendors. To date, 24 vendors, including BIND, Unbound, PowerDNS, and Knot, are actively patching their software using the provided solutions. Additionally, 10 CVE-IDs have been assigned to address the vulnerabilities exploited by DNSBomb:

Industry-wide: CVE-2024-33655
Knot: CVE-2023-49206
Simple DNS Plus: CVE-2023-49205
Technitium: CVE-2023-28456, CVE-2023-49203
MaraDNS: CVE-2023-49204
Dnsmasq: CVE-2023-28450, CVE-2023-49207
CoreDNS: CVE-2023-28454, CVE-2023-49202
SDNS: CVE-2023-49201

FireXCore emphasizes that any system capable of aggregating data, such as DNS and Content Delivery Networks (CDNs), could be exploited to construct pulsing DoS traffic. The cybersecurity community is urged to join efforts in further investigating and mitigating the DNS-Bomb threat. These findings underscore the importance of continuous vigilance and innovation in the face of evolving cyber threats.

DNSBomb DoS Attack

Protecting Against the DNSBomb DoS Attack

To protect against the DNSBomb DoS attack, organizations should implement robust network security measures and stay informed about the latest threats and vulnerabilities. Regular updates and patches for DNS software, along with proactive monitoring and incident response strategies, are crucial for mitigating the risks associated with DNS-Bomb and similar cyber threats.

Tools:

XMap: The Internet Scanner

 

Stay updated with FireXCore on the latest in cybersecurity to safeguard your digital assets and stay ahead of potential threats. Subscribe to our newsletter for more insights and updates on the evolving landscape of cyber threats and security measures.

FAQ

In this section, we have answered your frequently asked questions to provide you with the necessary guidance.

  • What is the DNSBomb DoS attack, and how does it work?

    DNS-Bomb is a potent Denial of Service (DoS) attack that exploits the Domain Name System (DNS) infrastructure. It involves sending a slow trickle of modified DNS requests to DNS servers, which then amplify the packet size and withhold the responses. These responses are released all at once in a high-volume pulse aimed at a target, causing severe disruption.

  • How does DNSBomb differ from traditional DDoS attacks?

    Unlike traditional DDoS attacks that flood a target with constant traffic, DNS-Bomb uses DNS servers to amplify the attack. It sends a slow trickle of requests that are stored and then released simultaneously, creating a powerful pulse. This method leverages modern DNS software and infrastructure to enhance the attack’s impact.

  • What were the findings from the evaluations conducted on DNSBomb?

    Researchers from Tsinghua University and FireXCore found that all tested DNS resolvers could be exploited by DNS-Bomb, making it more powerful than previous pulsing DoS attacks. Small-scale experiments showed peak pulse magnitudes approaching 8.7 Gbps and a bandwidth amplification factor over 20,000 times, indicating the attack’s significant potential for disruption.

  • What mitigation solutions have been proposed for DNSBomb?

    Researchers have proposed effective mitigation solutions and reported their findings to affected vendors. Vendors such as BIND, Unbound, PowerDNS, and Knot are actively patching their software. Additionally, 10 CVE-IDs have been assigned to address the vulnerabilities exploited by DNS-Bomb. Regular updates, patches, proactive monitoring, and incident response strategies are recommended for organizations to protect against this attack.

  • How can organizations protect themselves from the DNSBomb attack?

    Organizations should implement robust network security measures, including regular updates and patches for DNS software, proactive monitoring, and incident response strategies. Staying informed about the latest threats and vulnerabilities is crucial. Tools like XMap: The Internet Scanner can help in identifying potential vulnerabilities in the DNS infrastructure.