NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities

TL;DR

This paper identifies a new DNS vulnerability called NXNSAttack that causes large-scale packet storms, disrupting DNS services, and proposes a mitigation algorithm that effectively reduces attack impact without harming resolver performance.

Contribution

The paper introduces the NXNSAttack vulnerability, demonstrates its destructive potential, and proposes the MaxFetch(k) mitigation algorithm, which is implemented and shown to be effective in real-world DNS systems.

Findings

NXNSAttack can generate amplification factors over 1620x.

The MaxFetch(1) mitigation reduces attack impact without affecting resolver performance.

Several DNS systems have patched their systems following the vulnerability disclosure.

Abstract

This paper exposes a new vulnerability and introduces a corresponding attack, the NoneXistent Name Server Attack (NXNSAttack), that disrupts and may paralyze the DNS system, making it difficult or impossible for Internet users to access websites, web e-mail, online video chats, or any other online resource. The NXNSAttack generates a storm of packets between DNS resolvers and DNS authoritative name servers. The storm is produced by the response of resolvers to unrestricted referral response messages of authoritative name servers. The attack is significantly more destructive than NXDomain attacks (e.g., the Mirai attack): i) It reaches an amplification factor of more than 1620x on the number of packets exchanged by the recursive resolver. ii) In addition to the negative cache, the attack also saturates the 'NS' section of the resolver caches. To mitigate the attack impact, we propose an enhancement to the recursive resolver algorithm, MaxFetch(k), that prevents unnecessary proactive fetches. We implemented the MaxFetch(1) mitigation enhancement on a BIND resolver and tested it on real-world DNS query datasets. Our results show that MaxFetch(1) degrades neither the recursive resolver throughput nor its latency. Following the discovery of the attack, a responsible disclosure procedure was carried out, and several DNS vendors and public providers have issued a CVE and patched their systems.