Description
Security Track - Protocol
Although DNS based attacks aren’t a regular part of the news cycle they’re extremely common. Visibility into data from numerous sources shows DDoS attacks using DNS as a vector has been growing steadily, on a trend to double over the past 6 ½ years. As a percentage of other forms of DDoS DNS made up 65% in Q2 2024, an all time high. Duration and intensity of attacks, and assets targeted, have...
DNSBomb is a new practical and powerful pulsing DoS attack exploiting DNS queries and responses.
DNS employs a variety of mechanisms to guarantee availability, protect security, and enhance reliability. In this paper, however, we reveal that these inherent beneficial mechanisms, including timeout, query aggregation, and response fast-returning, can be transformed into malicious attack...
Recent years have witnessed the discovery of a flurry of DoS vectors that can amplify a typically short name resolution process, e.g., with a single client request tricking recursive resolvers into generate hundreds or more queries. They enable an attacker to overwhelm a victim DNS server with substantially fewer requests than direct DDoS or Pseudo-random Subdomain attacks. We call this...
Due to the criticality of the KeyTrap vulnerabilities the task force assembled to address the issues decided to prefer fast, working fixes over elaborate long-term solutions. In consequence, the short-term mitigations are sufficient to prevent impactful attacks, but their propriety as long-term fixes is limited. In this talk we propose long-term solutions to address DNSSEC validation-based...
We will review different DNS DDoS vulnerabilities identified by academic institutions over the past five years, such as NXNS, NRDelegation, and the recent CacheFlush Attacks discovered by our group.
The commonalities, differences and causal relationships between these attacks will be highlighted.
We will then discuss how these vulnerabilities were discovered and explore whether there is a...
