Giovane C. M. Moura
Wes Hardaker
ABSTRACT
TheInternet's Domain Name System (DNS) is a part of every web request and e-mail exchange, so DNS failures can be catastrophic, taking out major websites and services. This paper identifies TsuNAME, a vulnerability where some recursive resolvers can greatly amplify queries, potentially resulting in a denial-of-service to DNS services. TsuNAME is caused by cyclical dependencies in DNS records. A recursive resolver repeatedly follows these cycles, coupled with insufficient caching and application-level retries greatly amplify an initial query, stressing authoritative servers. Although issues with cyclic dependencies are not new, the scale of amplification has not previously been understood. We document real-world events in .nz (a country-level domain), where two misconfigured domains resulted in a 50% increase on overall traffic. We reproduce and document root causes of this event through experiments, and demostrate a 500× amplification factor. In response to our disclosure, several DNS software vendors have documented their mitigations, including Google public DNS and Cisco OpenDNS. For operators of authoritative DNS services we have developed and released CycleHunter, an open-source tool that detects cyclic dependencies and prevents attacks. We use CycleHunter to evaluate roughly 184 million domain names in 7 large, top-level domains (TLDs), finding 44 cyclic dependent NS records used by 1.4k domain names. The TsuNAME vulnerability is weaponizable, since an adversary can easily create cycles to attack the infrastructure of a parent domains. Documenting this threat and its solutions is an important step to ensuring it is fully addressed.
- 1.1.1.1. 2018. The Internet's Fastest, Privacy-First DNS Resolver. https://1.1.1.1/. https://1.1.1.1/Google Scholar
- Gautam Akiwate, Mattijs Jonker, Raffaele Sommese, Ian Foster, Geoffrey M. Voelker, Stefan Savage, and KC Claffy. 2020. Unresolved Issues: Prevalence, Persistence, and Perils of Lame Delegations. In Proceedings of the ACM Internet Measurement Conference (Virtual Event, USA) (IMC '20). Association for Computing Machinery, New York, NY, USA, 281--294. Google ScholarDigital Library
- Mark Allman. 2018. Comments on DNS Robustness. In Proceedings of the Internet Measurement Conference 2018 (Boston, MA, USA) (IMC '18). Association for Computing Machinery, New York, NY, USA, 84--90. Google ScholarDigital Library
- M. Andrews. 1998. Negative Caching of DNS Queries (DNS NCACHE). RFC 2308. IETF. http://tools.ietf.org/rfc/rfc2308.txtGoogle Scholar
- Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In Proceedings of the 26th USENIX Security Symposium. USENIX. Vancouver, BC, Canada, 1093--1110. https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdfGoogle ScholarDigital Library
- ISC BIND. 2021. TsuNAME DNS Vulnerability and BIND 9. https://www.isc.org/blogs/2021_tsuname_vulnerability/.Google Scholar
- Jonas Bushart and Christian Rossow. 2018. DNS Unchained: Amplified Application-Layer DoS Attacks Against DNS Authoritatives. In Research in Attacks, Intrusions, and Defenses, Michael Bailey, Thorsten Holz, Manolis Stamatogiannakis, and Sotiris Ioannidis (Eds.). Springer International Publishing, Cham, 139--160.Google Scholar
- Sebastian Castro, Duane Wessels, Marina Fomenkov, and Kimberly Claffy. 2008. A day at the root of the Internet. ACM Computer Communication Review 38, 5 (Oct. 2008), 41--46. Google ScholarDigital Library
- cert.gov. 2021. Vulnerability Disclosure Policy. https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy.Google Scholar
- CycleHunter. 2021. GitHub - SIDN/CycleHunter: Python software that reads zone files, extract NS records, and detect cyclic dependencies. https://github.com/SIDN/CycleHunter.Google Scholar
- CZ-NIC. 2021. Knot DNS. https://www.knot-dns.cz/Google Scholar
- Peter B. Danzig, Katia Obraczka, and Anant Kumar. 1992. An Analysis of Wide-Area Name Server Traffic: A study of the Domain Name System. In Proceedings of the ACM SIGCOMM Conference (johnh: folder: networking/dns). ACM, Baltimore, Mayrland, USA, 281--292. Google ScholarDigital Library
- Wouter B. De Vries, Roland Van Rijswijk-Deij, Pieter Tjerk De Boer, and Aiko Pras. 2018. Passive Observations of a Large DNS Service: 2.5 Years in the Life of Google. In 2018 Network Traffic Measurement and Analysis Conference (TMA). IEEE, United States. Google ScholarCross Ref
- Batya Friedman, David G. Hendry, and Alan Borning. 2017. A Survey of Value Sensitive Design Methods. Foundations and Trends® in Human-Computer Interaction 11, 2 (2017), 63--125. Google ScholarDigital Library
- Google. 2020. Public DNS. https://developers.google.com/speed/public-dns/. https://developers.google.com/speed/public-dns/Google Scholar
- Google Project Zero. 2021. Vulnerability Disclosure FAQ. https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html.Google Scholar
- Kenneth Einar Himma, Herman T Tavani, et al. 2008. The handbook of information and computer ethics. Wiley Online Library.Google Scholar
- P. Hoffman, A. Sullivan, and K. Fujiwara. 2018. DNS Terminology. RFC 8499. IETF. http://tools.ietf.org/rfc/rfc8499.txtGoogle Scholar
- ICANN. 2020. Centralized Zone Data Service. https://czds.icann.org/.Google Scholar
- Internet Assigned Numbers Authority (IANA). 2020. Root Files. https://www.iana.org/domains/root/files.Google Scholar
- Internetstiftelsen. 2020. Zone Data. https://zonedata.iis.se/.Google Scholar
- ISC. 2021. BIND 9. https://www.isc.org/bind/.Google Scholar
- Georgios Kambourakis, Tassos Moschos, Dimitris Geneiatakis, and Stefanos Gritzalis. 2007. A Fair Solution to DNS Amplification Attacks. In Proceedings of the Second IEEE International Workshop on Digital Forensics and Incident Analysis (WDFIA). IEEE, 38--47. Google ScholarCross Ref
- Aqsa Kashaf, Vyas Sekar, and Yuvraj Agarwal. 2020. Analyzing Third Party Service Dependencies in Modern Web Services: Have We Learned from the Mirai-Dyn Incident?. In Proceedings of the ACM Internet Measurement Conference (Virtual Event, USA) (IMC '20). Association for Computing Machinery, New York, NY, USA, 634--647. Google ScholarDigital Library
- A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. 1993. Common DNS Implementation Errors and Suggested Fixes. RFC 1536. IETF. http://tools.ietf.org/rfc/rfc1536.txtGoogle Scholar
- M. Larson and P. Barber. 2006. Observed DNS Resolution Misbehavior. RFC 4697. IETF. http://tools.ietf.org/rfc/rfc4697.txtGoogle Scholar
- P.V. Mockapetris. 1987. Domain names - concepts and facilities. RFC 1034. IETF. http://tools.ietf.org/rfc/rfc1034.txtGoogle Scholar
- P.V. Mockapetris. 1987. Domain names - implementation and specification. RFC 1035. IETF. http://tools.ietf.org/rfc/rfc1035.txtGoogle Scholar
- Giovane C. M. Moura. 2021. OARC Members Only Session: Vulnerability Disclosure (DDoS). https://indico.dns-oarc.net/event/37/contributions/821/. https://indico.dns-oarc.net/event/37/contributions/821/Google Scholar
- Giovane C. M. Moura, Sebastian Castro, Wes Hardaker, Maarten Wullink, and Cristian Hesselman. 2020. Clouding up the Internet: How Centralized is DNS Traffic Becoming?. In Proceedings of the ACM Internet Measurement Conference (Virtual Event, USA) (IMC '20). Association for Computing Machinery, New York, NY, USA, 42--49.Google ScholarDigital Library
- Giovane C. M. Moura, Sebastian Castro, John Heidemann, and Wes Hardaker. 2021. tsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS. Technical Report 2021-01. SIDN Labs. https://tsuname.io/tech_report.pdf. https://doi.org/paper.pdfGoogle Scholar
- Giovane C. M. Moura, Ricardo de O. Schmidt, John Heidemann, Wouter B. de Vries, Moritz Müller, Lan Wei, and Christian Hesselman. 2016. Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. In Proceedings of the ACM Internet Measurement Conference. ACM, Santa Monica, California, USA, 255--270. Google ScholarDigital Library
- Giovane C. M. Moura, John Heidemann, Ricardo de O. Schmidt, and Wes Hardaker. 2019. Cache Me If You Can: Effects of DNS Time-to-Live. In Proceedings of the ACM Internet Measurement Conference. ACM, Amsterdam, the Netherlands, 101--115. Google ScholarDigital Library
- Giovane C. M. Moura, John Heidemann, Moritz Müller, Ricardo de O. Schmidt, and Marco Davids. 2018. When the Dike Breaks: Dissecting DNS Defenses During DDoS. In Proceedings of the ACM Internet Measurement Conference. ACM, Boston, MA, USA, 8--21. Google ScholarDigital Library
- Giovane C. M. Moura, John Heidemann, Moritz Müller, Ricardo de O. Schmidt, and Marco Davids. 2018. When the Dike Breaks: Dissecting DNS Defenses During DDoS (extended). Technical Report ISI-TR-725. USC/Information Sciences Institute. https://www.isi.edu/%7ejohnh/PAPERS/Moura18a.htmlGoogle Scholar
- NL Netlabs. 2021. UNBOUND. https://www.nlnetlabs.nl/projects/unbound/about/.Google Scholar
- NLnetLabs. 2021. tsuNAME vulnerability and Unbound. https://nlnetlabs.nl/news/2021/May/10/tsuname-vulnerability-and-unbound/.Google Scholar
- OpenDNS. 2021. Setup Guide: OpenDNS. https://www.opendns.com/. https://www.opendns.com/Google Scholar
- Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, and Lixia Zhang. 2004. Impact of Configuration Errors on DNS Robustness. SIGCOMM Comput. Commun. Rev. 34, 4 (Aug. 2004), 319--330. Google ScholarDigital Library
- Nicole Perlroth. 2016. Hackers Used New Weapons to Disrupt Major Websites Across U.S. New York Times (Oct. 22 2016), A1. http://www.nytimes.com/2016/10/22/business/internet-problems-attack.htmlGoogle Scholar
- PowerDNS. 2021. Changelogs for all pre 4.0 releases. https://doc.powerdns.com/recursor/changelog/pre-4.0.html.Google Scholar
- PowerDNS. 2021. TsuNAME vulnerability and PowerDNS Recursor. https://blog.powerdns.com/2021/05/10/tsuname-vulnerability-and-powerdns-recursor/.Google Scholar
- Quad9. 2018. Quad9 | Internet Security & Privacy In a Few Easy Steps. https://quad9.net.Google Scholar
- Audrey Randall, Enze Liu, Gautam Akiwate, Ramakrishna Padmanabhan, Geoffrey M. Voelker, Stefan Savage, and Aaron Schulman. 2020. Trufflehunter: Cache Snooping Rare Domains at Large Public DNS Resolvers. In Proceedings of the ACM Internet Measurement Conference (Virtual Event, USA) (IMC '20). Association for Computing Machinery, New York, NY, USA, 50--64. Google ScholarDigital Library
- Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, and E. Lear. 1996. Address Allocation for Private Internets. RFC 1918. IETF. http://tools.ietf.org/rfc/rfc1918.txtGoogle Scholar
- RIPE NCC. 2021. RIPE Atlas Measurement IDS. https://atlas.ripe.net/measurements/ID., where ID is the experiment ID: New Domain:25666966, Recurrent:25683316, One-off-AfterGoogle: 29078085, RecurrentAfterGoogle: 29099244, probe52196:29491104, TripeDep:29559226, CNAME: 29560025.Google Scholar
- RIPE NCC Staff. 2015. RIPE Atlas: A Global Internet Measurement Network. Internet Protocol Journal (IPJ) 18, 3 (Sep 2015), 2--26.Google Scholar
- RIPE Network Coordination Centre. 2020. RIPE Atlas. https://atlas.ripe.net.Google Scholar
- RIPE Network Coordination Centre. 2020. RIPE Atlas - Raw data structure documentations, https://atlas.ripe.net/docs/data_struct/.Google Scholar
- Root Server Operators. 2015. Events of 2015-11-30. http://root-servers.org/news/events-of-20151130.txt.Google Scholar
- Root Server Operators. 2020. Root DNS. http://root-servers.org/.Google Scholar
- Root Zone file. 2020. Root. http://www.internic.net/domain/root.zone.Google Scholar
- Kyle Schomp, Tom Callahan, Michael Rabinovich, and Mark Allman. 2013. On measuring the client-side DNS infrastructure. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference. ACM, 77--90.Google ScholarDigital Library
- SIDN Labs. 2020. ENTRADA - DNS Big Data Analytics. https://entrada.sidnlabs.nl/.Google Scholar
- Raffaele Sommese, Leandro Bertholdo, Gautam Akiwate, Mattijs Jonker, van Rijswijk-Deij, Roland, Alberto Dainotti, KC Claffy, and Anna Sperotto. 2020. MAnycast2---Using Anycast to Measure Anycast. In Proceedings of the ACM Internet Measurement Conference. ACM, Pittsburgh, PA, USA. Google ScholarDigital Library
- Suzanne Goldlust. 2018. Using the Response Rate Limiting Feature. https://kb.isc.org/docs/aa-00994.Google Scholar
- S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. 2003. DNS Extensions to Support IP Version 6. RFC 3596. IETF. http://tools.ietf.org/rfc/rfc3596.txtGoogle Scholar
- Sipat Triukose, Zakaria Al-Qudah, and Michael Rabinovich. 2009. Content Delivery Networks: Protection or Threat?. In Computer Security - ESORICS 2009, Michael Backes and Peng Ning (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 371--389.Google ScholarCross Ref
- Roland van Rijswijk-Deij, Anna Sperotto, and Aiko Pras. 2014. DNSSEC and Its Potential for DDoS Attacks: a comprehensive measurement study. In Proceedings of the 2014 ACM Conference on Internet Measurement Conference (IMC). ACM, 449--460.Google ScholarDigital Library
- Duane Wessels and Marina Fomenkov. 2003. Wow, That's a Lot of Packets. In Proceedings of the Passive and Active Measurement Workshop. https://www.caida.org/publications/papers/2003/dnspackets/wessels-pam2003.pdfGoogle Scholar
- Chris Williams. 2019. Bezos DDoS'd: Amazon Web Services' DNS systems knackered by hours-long cyber-attack. https://www.theregister.co.uk/2019/10/22/aws_dns_ddos/.Google Scholar
- D. Wing and A. Yourtchenko. 2012. Happy Eyeballs: Success with Dual-Stack Hosts. RFC 6555. IETF. http://tools.ietf.org/rfc/rfc6555.txtGoogle Scholar
- S. Woolf and D. Conrad. 2007. Requirements for a Mechanism Identifying a Name Server Instance. RFC 4892. IETF. http://tools.ietf.org/rfc/rfc4892.txtGoogle Scholar
- Maarten Wullink, Giovane CM Moura, Moritz Müller, and Cristian Hesselman. 2016. ENTRADA: A high-performance network traffic data streaming warehouse. In Network Operations and Management Symposium (NOMS), 2016 IEEE/IFIP. IEEE, 913--918.Google ScholarDigital Library
Recommendations
Collaborative Client-Side DNS Cache Poisoning Attack
IEEE INFOCOM 2019 - IEEE Conference on Computer CommunicationsDNS poisoning attacks inject malicious entries into the DNS resolution system, allowing an attacker to redirect clients to malicious servers. These attacks typically target a DNS resolver allowing attackers to poison a DNS entry for all machines that use ...
A Distributed Security Approach against ARP Cache Poisoning Attack
CySSS '22: Proceedings of the 1st Workshop on Cybersecurity and Social SciencesThe Address Resolution Protocol (ARP) has a critical function in the Internet protocol suite, however, it was not designed for security as it does not verify that a response to an ARP request really comes from an authorized party. This weak point in the ...
Comments