26–27 Oct 2024
Clarion Congress Hotel Prague
Europe/Prague timezone

DNSBomb: A New Practical-and-Powerful Pulsing DoS Attack Exploiting DNS Queries-and-Responses

26 Oct 2024, 11:45
10m
Tycho/Kepler Rooms (Clarion Congress Hotel Prague)

Tycho/Kepler Rooms

Clarion Congress Hotel Prague

Freyova 33 Praha 9 ⁠-⁠ Vysočany 190 00 Česká republika
Remote Panel Main Session Session 2

Speaker

Prof. Xiang Li (Nankai University)

Description

DNSBomb is a new practical and powerful pulsing DoS attack exploiting DNS queries and responses.

DNS employs a variety of mechanisms to guarantee availability, protect security, and enhance reliability. In this paper, however, we reveal that these inherent beneficial mechanisms, including timeout, query aggregation, and response fast-returning, can be transformed into malicious attack vectors. We propose a new practical and powerful pulsing DoS attack, dubbed the DNSBomb attack. DNSBomb exploits multiple widely-implemented DNS mechanisms to accumulate DNS queries that are sent at a low rate, amplify queries into large-sized responses, and concentrate all DNS responses into a short, high-volume periodic pulsing burst to simultaneously overwhelm target systems. Through an extensive evaluation on 10 mainstream DNS software, 46 public DNS services, and around 1.8M open DNS resolvers, we demonstrate all DNS resolvers could be exploited to conduct more practical-and-powerful DNSBomb attacks than previous pulsing DoS attacks. Small-scale experiments show the peak pulse magnitude can approach 8.7Gb/s and the bandwidth amplification factor could exceed 20,000x. Our controlled attacks cause complete packet loss or service degradation on both stateless and stateful connections (TCP, UDP, and QUIC). In addition, we present effective mitigation solutions with detailed evaluations. We have responsibly reported our findings to all affected vendors, and received acknowledgement from 24 of them, which are patching their software using our solutions, such as BIND, Unbound, PowerDNS, and Knot. 10 CVE-IDs are assigned.

We concluded that ANY SYSTEM or MECHANISM, which can aggregate “things”, could be exploited to construct the pulsing DoS traffic, such as DNS and CDN.

Talk duration 10 Minutes (+discussion panel time)

Primary authors

Prof. Xiang Li (Nankai University) Mr Dashuai Wu (Tsinghua University) Prof. Haixin Duan (Tsinghua University) Prof. Qi Li (Tsinghua University)

Presentation materials