Tuesday, June 25, 2024

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits DNS queries and responses.

This new attack has been termed “DNSBomb,” which transforms different security mechanisms employed by DNS, including reliability enhancement, security protection, timeout, query aggregation, and response fast-returning, into powerful attack vectors.

Additionally, the DNSBomb attack exploits other mechanisms, such as the accumulation of low-rate DNS queries, the amplification of queries into large-sized responses, and the articulated all DNS responses into a short, high-volume periodic burst that will overload the targeted system.

Further, the researchers also evaluated 10 mainstream DNS software, 46 public DNS services, and over 1.8 Million open DNS resolvers in which all of the DNS resolvers were exploited, which could potentially indicate the DNSBomb attack’s power and practicality.

It was also concluded that any system or mechanism, such as DNS or CDN, can be exploited to construct DoS traffic.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Technical Analysis

According to the reports shared with Cyber Security News, there have been more than 11 CVEs assigned for this DNSBomb attack which were associated with 

Further, the tool used by the researcher was XMap Internet Scanner, a fast network scanner designed to sweep internet-wide IPv4 and IPv6 network research scanning.

In addition, the research paper also specified that this DNSBomb attack was more powerful than the previous PDoS attack (Pulsating DoS Attack), a.k.a the Shrew Attack, which was first proposed in 2003 by Kuzmanovic and Knightly. 

However, it is challenging to synchronize the attack traffic from different bots at targeted servers, which reduces the attack’s effectiveness. 

Threat Model

The DNSBomb attack uses worldwide open DNS resolvers to generate short and periodic pulse traffic against the targeted server.

Nevertheless, an attacker must be capable of IP Spoofing. According to July 2023 statistics, 19.7% of IPv4 and 26.7% IPv6 are identified as IP-spoofable.

Threat Model (Source: DNSBomb)

An attacker can purchase a domain in any Domain registration platform and establish a controlled nameserver to initiate DNS queries towards the exploitable resolvers.

These DNS queries can affect any server or IP address of the targeted victims. 

In fact, the threat actor can impersonate any UP as the query’s source address and direct the response to that IP. 

Attack Workflow

The DNSBomb attack workflow uses three main methods: accumulating DNS queries, Amplifying the DNS queries, and Concentrating the DNS responses.

Accumulating the DNS queries uses as many DNS queries as possible at a very low rate on the exploitable resolver. 

Attack Workflow (Source: DNSBomb)

Following this, a small DNS query pack is amplified into a larger response packet via a controlled domain that returns large-sized responses by the resolver’s capability.

After accumulating several queries and amplifying them into larger responses, the responses are held until nearing the timeout of the owned nameserver (attacker-registered domain) for each query.

This is because of the reliability-enhancing DNS mechanism response, which is fast-returning and transmits all the packets as soon as possible.

This mechanism is now utilized to concentrate all the responses from the domain on the targeted server, which results in powerful pulsing DoS traffic.

 DNSBomb Experiment Results (Source: DNSBomb)

Furthermore, a complete report about this new attack technique has been published, which provides detailed information about the attack vector, workflow, prerequisites, techniques, and other aspects.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers


Latest articles

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...

Consulting Companies to Pay $11 Million Failing Cybersecurity Requirements

Two consulting companies, Guidehouse Inc. and Nan McKay and Associates, have agreed to pay...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles