TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS. Moura, G. C. M., Castro, S., Heidemann, J., & Hardaker, W. In Proceedings of the ACM Internet Measurement Conference, pages 398–418, Virtual, November, 2021. ACM.
TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS [link]Paper  doi  abstract   bibtex   
The Internet's Domain Name System (DNS) is a part of every web request and e-mail exchange, so DNS failures can be catastrophic, taking out major websites and services. This paper identifies TsuNAME, a vulnerability where some recursive resolvers can greatly amplify queries, potentially resulting in a denial-of-service to DNS services. TsuNAME is caused by cyclical dependencies in DNS records. A recursive resolver repeatedly follows these cycles, coupled with insufficient caching and application-level retries greatly amplify an initial query, stressing authoritative servers. Although issues with cyclic dependencies are not new, the scale of amplification has not previously been understood. We document real-world events in .nz (a country-level domain), where two misconfigured domains resulted in a 50% increase on overall traffic. We reproduce and document root causes of this event through experiments, and demostrate a 500x amplification factor. In response to our disclosure, several DNS software vendors have documented their mitigations, including Google public DNS. For operators of authoritative DNS services we have developed and released CycleHunter, an open-source tool that detect cyclic dependencies and prevent attacks. We use CycleHunter to evaluate roughly 184 million domain names in 7 large, top-level domains (TLDs), finding 44 cyclic dependent NS records used by 1.4k domain names. The TsuNAME vulnerability is weaponizable, since an adversary can easily create cycles to attack the infrastructure of a parent domains. Documenting this threat and its solutions is an important step to ensuring it is fully addressed.
@InProceedings{Moura21b,
	author = 	"Giovane C. M. Moura and Sebastian Castro and
                  John Heidemann and Wes Hardaker",
	title = 	"{TsuNAME}: exploiting misconfiguration and vulnerability to {DDoS} {DNS}",
        booktitle =     "Proceedings of the " # "ACM Internet Measurement Conference",
        year =          2021,
	sortdate = "2021-11-02",
	project = "ant, lacanic, paaddos, ddidd",
	jsubject = "network_security",
        pages =      "398--418",
        month =      nov,
        address =    "Virtual",
        publisher =  "ACM",
        jlocation =   "johnh: pafile",
	keywords = 	"anycast, dns, tcp, latency, root, .nl-tld,tsuname, vunerability",
	url =		"https://ant.isi.edu/%7ejohnh/PAPERS/Moura21b.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Moura21b.pdf",
        doi =        "https://doi.org/10.1145/3487552.3487824",
	abstract = "The Internet's Domain Name System (DNS) is a part of every web request
and e-mail exchange, so DNS failures can be catastrophic, taking out
major websites and services.  This paper identifies TsuNAME, a
vulnerability where some recursive resolvers can greatly amplify
queries, potentially resulting in a denial-of-service to DNS services.
TsuNAME is caused by cyclical dependencies in DNS records.  A
recursive resolver repeatedly follows these cycles, coupled with
insufficient caching and application-level retries greatly amplify an
initial query, stressing authoritative servers.  Although issues with
cyclic dependencies are not new, the scale of amplification has not
previously been understood.  We document real-world events in .nz (a
country-level domain), where two misconfigured domains resulted in a
50\% increase on overall traffic.  We reproduce and document root
causes of this event through experiments, and demostrate a 500x
amplification factor.  In response to our disclosure, several DNS
software vendors have documented their mitigations, including Google
public DNS.  For operators of authoritative DNS services we have
developed and released CycleHunter, an open-source tool that detect
cyclic dependencies and prevent attacks.  We use CycleHunter to
evaluate roughly 184 million domain names in 7 large, top-level
domains (TLDs), finding 44 cyclic dependent NS records used by 1.4k
domain names.  The TsuNAME vulnerability is weaponizable, since an
adversary can easily create cycles to attack the infrastructure of a
parent domains.  Documenting this threat and its solutions is an
important step to ensuring it is fully addressed.",
}
Downloads: 0
About
Documentation
Keywords
Search
Users
Terms and Conditions of Use
Privacy Policy
Sitemap
© BibBase.org 2021