DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits DNS queries and responses.

This new attack has been termed “DNSBomb,” which transforms different security mechanisms employed by DNS, including reliability enhancement, security protection, timeout, query aggregation, and response fast-returning, into powerful attack vectors.

Additionally, the DNSBomb attack exploits other mechanisms, such as the accumulation of low-rate DNS queries, the amplification of queries into large-sized responses, and the articulated all DNS responses into a short, high-volume periodic burst that will overload the targeted system.

Further, the researchers also evaluated 10 mainstream DNS software, 46 public DNS services, and over 1.8 Million open DNS resolvers in which all of the DNS resolvers were exploited, which could potentially indicate the DNSBomb attack’s power and practicality.

It was also concluded that any system or mechanism, such as DNS or CDN, can be exploited to construct DoS traffic.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Technical Analysis

According to the reports shared with Cyber Security News, there have been more than 11 CVEs assigned for this DNSBomb attack which were associated with 

Further, the tool used by the researcher was XMap Internet Scanner, a fast network scanner designed to sweep internet-wide IPv4 and IPv6 network research scanning.

In addition, the research paper also specified that this DNSBomb attack was more powerful than the previous PDoS attack (Pulsating DoS Attack), a.k.a the Shrew Attack, which was first proposed in 2003 by Kuzmanovic and Knightly. 

However, it is challenging to synchronize the attack traffic from different bots at targeted servers, which reduces the attack’s effectiveness. 

Threat Model

The DNSBomb attack uses worldwide open DNS resolvers to generate short and periodic pulse traffic against the targeted server.

Nevertheless, an attacker must be capable of IP Spoofing. According to July 2023 statistics, 19.7% of IPv4 and 26.7% IPv6 are identified as IP-spoofable.

Threat Model (Source: DNSBomb)

An attacker can purchase a domain in any Domain registration platform and establish a controlled nameserver to initiate DNS queries towards the exploitable resolvers.

These DNS queries can affect any server or IP address of the targeted victims. 

In fact, the threat actor can impersonate any UP as the query’s source address and direct the response to that IP. 

Attack Workflow

The DNSBomb attack workflow uses three main methods: accumulating DNS queries, Amplifying the DNS queries, and Concentrating the DNS responses.

Accumulating the DNS queries uses as many DNS queries as possible at a very low rate on the exploitable resolver. 

Attack Workflow (Source: DNSBomb)

Following this, a small DNS query pack is amplified into a larger response packet via a controlled domain that returns large-sized responses by the resolver’s capability.

After accumulating several queries and amplifying them into larger responses, the responses are held until nearing the timeout of the owned nameserver (attacker-registered domain) for each query.

This is because of the reliability-enhancing DNS mechanism response, which is fast-returning and transmits all the packets as soon as possible.

This mechanism is now utilized to concentrate all the responses from the domain on the targeted server, which results in powerful pulsing DoS traffic.

DNSBomb Experiment Results (Source: DNSBomb)

Furthermore, a complete report about this new attack technique has been published, which provides detailed information about the attack vector, workflow, prerequisites, techniques, and other aspects.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers


Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these systems to steal sensitive data, interrupt…

2 days ago

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a threat actor to read sensitive files…

2 days ago

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes. Resecurity researchers have recently revealed that…

2 days ago

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million Ecuadorian citizens. The announcement was made…

2 days ago

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery efforts following a recent cybersecurity breach.…

2 days ago

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection for Amazon Simple Storage Service (Amazon…

2 days ago