Thursday, March 28, 2024

TsuNAME – DNS Bug That Allow Hackers to DDoS Authoritative DNS Servers

Researchers encountered a new vulnerability named “TsuNAME” in DNS Servers that allows attackers to exploit DDoS authoritative DNS servers.

The TsuNAME bug specifically affects the DNS resolvers that lead to exploiting the authoritative servers due to recursive resolvers by sending an extremely large amount of queries to the targeted authoritative servers.

The recursive resolver is also known as the DNS recursor that sits in the middle of the client and the DNS nameserver for helping the DNS server to communicate with other DNS servers to find the IP address and return to the client who is trying to connect with any website through a browser.

How does Attackers Exploit TsuNAME Bug

To exploit the TsuNAME vulnerability, attackers will initiate a large amount of malicious queries to the authoritative DNS servers that contain a Cyclic Dependency, an NS configuration error.

It leads to affect the ccTLD, TLDs and carry out a large amount of DDoS attacks on the DNS servers and also potentially affecting country-specific services.

Researchers explained that there are 3 things should necessarily presents during the attack of the following:-

  1. Cyclic dependent NS records
  2. Vulnerable recursive resolvers
  3. User queries to start/drive the process

During the investigation, researchers experience a large volume of traffic, roughly increase, from 800M to 1.2B daily queries ag .nz ccTLD(country code top-level domain).

According to the report “Upon investigation, the .nz operators determined that the cause of this surge in traffic was due to a configuration error in two domains only. The error was that the two domains were misconfigured with cyclic dependencies”

Soon after encountered this issue, the event only stopped after 16 days when .nz operators removing the cyclic dependency by removing the affected delegation.

“Due to TsuNAME bug, researchers also found that there is 50% traffic growth on .nz due to misconfiguration of 2 domains, and evident with an anonymous European ccTLD experienced 10x traffic growth when also two domains were misconfigured with cyclic dependencies.”

TsuNAME event at an Anonymous EU-based ccTLD operator.

Mitigation for TsuNAME Vulnerability

There is 2 important security measure that recommended by the researchers To mitigate the traffic surge from resolvers to authoritative servers caused by the TsuNAME vulnerability.

  • Do not loop in the presence of cyclic dependencies
  • Cache the results of cyclic dependent records.

Also, Authoritative server operators can use the open-source tool called ” CycleHunter” to prevent their DNS server from TsuNAME and reduce the impact and being compromised by hackers.

“We are happy that both Google and Cisco have mitigated this vulnerability in their resolver software. However, many old resolver software may still be vulnerable to tsuNAME, so we encourage resolver operators to follow our recommendations on our Security Advisory.” Researcher said.

Researchers has already use CycleHunter tool to analyse around 184 million domains based on seven TLDs, allowing them to detect 44 cyclic dependent NS records caused by the misconfiguration.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles