Wednesday, May 22, 2024

TsuNAME – DNS Bug That Allow Hackers to DDoS Authoritative DNS Servers

Researchers encountered a new vulnerability named “TsuNAME” in DNS Servers that allows attackers to exploit DDoS authoritative DNS servers.

The TsuNAME bug specifically affects the DNS resolvers that lead to exploiting the authoritative servers due to recursive resolvers by sending an extremely large amount of queries to the targeted authoritative servers.

The recursive resolver is also known as the DNS recursor that sits in the middle of the client and the DNS nameserver for helping the DNS server to communicate with other DNS servers to find the IP address and return to the client who is trying to connect with any website through a browser.

How does Attackers Exploit TsuNAME Bug

To exploit the TsuNAME vulnerability, attackers will initiate a large amount of malicious queries to the authoritative DNS servers that contain a Cyclic Dependency, an NS configuration error.

It leads to affect the ccTLD, TLDs and carry out a large amount of DDoS attacks on the DNS servers and also potentially affecting country-specific services.

Researchers explained that there are 3 things should necessarily presents during the attack of the following:-

  1. Cyclic dependent NS records
  2. Vulnerable recursive resolvers
  3. User queries to start/drive the process

During the investigation, researchers experience a large volume of traffic, roughly increase, from 800M to 1.2B daily queries ag .nz ccTLD(country code top-level domain).

According to the report “Upon investigation, the .nz operators determined that the cause of this surge in traffic was due to a configuration error in two domains only. The error was that the two domains were misconfigured with cyclic dependencies”

Soon after encountered this issue, the event only stopped after 16 days when .nz operators removing the cyclic dependency by removing the affected delegation.

“Due to TsuNAME bug, researchers also found that there is 50% traffic growth on .nz due to misconfiguration of 2 domains, and evident with an anonymous European ccTLD experienced 10x traffic growth when also two domains were misconfigured with cyclic dependencies.”

TsuNAME event at an Anonymous EU-based ccTLD operator.

Mitigation for TsuNAME Vulnerability

There is 2 important security measure that recommended by the researchers To mitigate the traffic surge from resolvers to authoritative servers caused by the TsuNAME vulnerability.

  • Do not loop in the presence of cyclic dependencies
  • Cache the results of cyclic dependent records.

Also, Authoritative server operators can use the open-source tool called ” CycleHunter” to prevent their DNS server from TsuNAME and reduce the impact and being compromised by hackers.

“We are happy that both Google and Cisco have mitigated this vulnerability in their resolver software. However, many old resolver software may still be vulnerable to tsuNAME, so we encourage resolver operators to follow our recommendations on our Security Advisory.” Researcher said.

Researchers has already use CycleHunter tool to analyse around 184 million domains based on seven TLDs, allowing them to detect 44 cyclic dependent NS records caused by the misconfiguration.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Website

Latest articles

OmniVision Technologies Cyber Attack, Hackers Stolen Personal Data in Ransomware Attack

OmniVision Technologies, Inc. (OVT) recently disclosed a significant security breach that compromised its clients'...

Critical Flaw In Confluence Server Let Attackers Execute Arbitrary Code

The widely used team workspace corporate wiki Confluence has been discovered to have a...

Threat Actors Leverage Bitbucket Artifacts to Breach AWS Accounts

In a recent investigation into Amazon Web Services (AWS) security breaches, Mandiant uncovered a...

Hackers Breached Western Sydney University Microsoft 365 & Sharepoint Environments

Western Sydney University has informed approximately 7,500 individuals today of an unauthorized access incident...

Memcyco Report Reveals Only 6% Of Brands Can Protect Their Customers From Digital Impersonation Fraud

Memcyco Inc., provider of digital trust technology designed to protect companies and their customers...

DoppelGänger Attack: Malware Routed Via News Websites And Social Media

A Russian influence campaign, DoppelGänger, leverages fake news websites (typosquatted and independent) to spread...

Critical Memory Corruption In Cloud Logging Infrastructure Enables Code Execution Attack

A new critical vulnerability has been discovered in Fluent Bit's built-in HTTP server, which...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles