DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits DNS queries and responses.

This new attack has been termed “DNSBomb,” which transforms different security mechanisms employed by DNS, including reliability enhancement, security protection, timeout, query aggregation, and response fast-returning, into powerful attack vectors.

Additionally, the DNSBomb attack exploits other mechanisms, such as the accumulation of low-rate DNS queries, the amplification of queries into large-sized responses, and the articulated all DNS responses into a short, high-volume periodic burst that will overload the targeted system.

Further, the researchers also evaluated 10 mainstream DNS software, 46 public DNS services, and over 1.8 Million open DNS resolvers in which all of the DNS resolvers were exploited, which could potentially indicate the DNSBomb attack’s power and practicality.

It was also concluded that any system or mechanism, such as DNS or CDN, can be exploited to construct DoS traffic.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Technical Analysis

According to the reports shared with Cyber Security News, there have been more than 11 CVEs assigned for this DNSBomb attack which were associated with 

• Knot (CVE-2023-49206),
• Simple DNS Plus (CVE-2023-49205),
• Technitium (CVE-2023-28456, CVE-2023-49203),
• MaraDNS (CVE-2023-49204),
• Dnsmasq (CVE-2023-28450, CVE-2023-49207),
• CoreDNS (CVE-2023-2845, CVE-2023-49202),
• SDNS (CVE-2023-49201) and
• Industry-wide (CVE-2024-33655).

Further, the tool used by the researcher was XMap Internet Scanner, a fast network scanner designed to sweep internet-wide IPv4 and IPv6 network research scanning.

In addition, the research paper also specified that this DNSBomb attack was more powerful than the previous PDoS attack (Pulsating DoS Attack), a.k.a the Shrew Attack, which was first proposed in 2003 by Kuzmanovic and Knightly. 

However, it is challenging to synchronize the attack traffic from different bots at targeted servers, which reduces the attack’s effectiveness. 

Threat Model

The DNSBomb attack uses worldwide open DNS resolvers to generate short and periodic pulse traffic against the targeted server.

Nevertheless, an attacker must be capable of IP Spoofing. According to July 2023 statistics, 19.7% of IPv4 and 26.7% IPv6 are identified as IP-spoofable.

An attacker can purchase a domain in any Domain registration platform and establish a controlled nameserver to initiate DNS queries towards the exploitable resolvers.

These DNS queries can affect any server or IP address of the targeted victims. 

In fact, the threat actor can impersonate any UP as the query’s source address and direct the response to that IP. 

Attack Workflow

The DNSBomb attack workflow uses three main methods: accumulating DNS queries, Amplifying the DNS queries, and Concentrating the DNS responses.

Accumulating the DNS queries uses as many DNS queries as possible at a very low rate on the exploitable resolver. 

Following this, a small DNS query pack is amplified into a larger response packet via a controlled domain that returns large-sized responses by the resolver’s capability.

After accumulating several queries and amplifying them into larger responses, the responses are held until nearing the timeout of the owned nameserver (attacker-registered domain) for each query.

This is because of the reliability-enhancing DNS mechanism response, which is fast-returning and transmits all the packets as soon as possible.

This mechanism is now utilized to concentrate all the responses from the domain on the targeted server, which results in powerful pulsing DoS traffic.

Furthermore, a complete report about this new attack technique has been published, which provides detailed information about the attack vector, workflow, prerequisites, techniques, and other aspects.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers