Speaker
Description
In this talk, we present a new DNS amplification attack named TsuKing. Instead of exploiting individual DNS resolvers independently to achieve an amplification effect, TsuKing deftly coordinates numerous vulnerable DNS resolvers and crafted queries together to form potent DoS amplifiers. We demonstrate that with TsuKing, an initial small amplification factor can increase exponentially through the internal layers of coordinated amplifiers, resulting in an extremely powerful amplification attack. TsuKing has three variants, including DNSRetry, DNSChain, and DNSLoop, all of which exploit a suite of inconsistent DNS implementations to achieve an enormous amplification effect. We conducted comprehensive measurements and evaluations to demonstrate the feasibility of TsuKing. In particular, we found that about 11.7% of 1.3M open DNS resolvers are potentially vulnerable to being exploited by TsuKing. And real-world controlled evaluations indicated that adversaries can achieve an amplification factor of at least 3,700×. We have reported the above vulnerabilities to all relevant vendors and also provided them with our recommendations for mitigation. We have received positive responses from 5 vendors, such as Unbound, confirming the issues, and got 3 CVE numbers. Some of the vendors are actively implementing our recommendations.
