TsuNAME vulnerability and DDoS against DNS. Moura, G. C. M., Castro, S., Heidemann, J., & Hardaker, W. Technical Report ISI-TR-740, USC/Information Sciences Institute, May, 2021.
TsuNAME vulnerability and DDoS against DNS [link]Paper  abstract   bibtex   
The Internet's Domain Name System (DNS) is one of the core services on the Internet. Every web page visit requires a series of DNS queries, and large DNS failures may have cascading consequences, leading to unreachability of major websites and services. In this paper we present TsuNAME, a vulnerability in some DNS resolvers that can be exploited to carry out denial-of-service attacks against authoritative servers. TsuNAME occurs when domain names are misconfigured with cyclic dependent DNS records, and when vulnerable resolvers access these misconfigurations, they begin looping and send DNS queries rapidly to authoritative servers and other resolvers (we observe up to 5.6k queries/s). Using production data from .nz , the country-code top-level domain (ccTLD) of New Zealand, we show how only two misconfigured domains led to a 50% increase on overall traffic volume for the .nz's authoritative servers. To understand this event, we reproduce TsuNAME using our own configuration, demonstrating that it could be used to overwhelm any DNS Zone. A solution to TsuNAME requires changes to some recursive resolver software, by including loop detection codes and caching cyclic dependent records. To reduce the impact of TsuNAME in the wild, we have developed and released CycleHunter, an open-source tool that allows for authoritative DNS server operators to detect cyclic dependencies and prevent becoming victims of TsuNAME attacks. We use CycleHunter to evaluate roughly 184 million domain names in 7 large, top-level domains (TLDs), finding 44 cyclic dependent NS records (likely from configuration errors) used by 1.4k domain names. However, a well motivated adversary could easily weaponize this vulnerability. We have notified resolver developers and many TLD operators of this vulnerability. Working together with Google, we helped them in mitigate their vulnerability to TsuNAME.
@TechReport{Moura21a,
	author = 	"Giovane C. M. Moura and Sebastian Castro and John Heidemann and
        		Wes Hardaker",
	title = 	"{TsuNAME} vulnerability and {DDoS} against {DNS}",
	institution = 	"USC/Information Sciences Institute",
	year = 		2021,
	month = 	may,
	sortdate = "2020-05-11",
	project = "ant, lacanic, paaddos, ddidd",
	jsubject = "network_security",
	number = 	"ISI-TR-740",
	jlocation = 	"johnh: pafile",
	keywords = 	"anycast, dns, tcp, latency, root, .nl-tld,tsuname, vunerability",
	url =		"https://ant.isi.edu/%7ejohnh/PAPERS/Moura21a.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Moura21a.pdf",
	otherurl = "https://www.isi.edu/publications/trpublic/pdfs/isi-tr-740.pdf",
	otherotherurl = "https://tsuname.io/tech_report.pdf",
	myorganization =	"USC/Information Sciences Institute",
	copyrightholder = "authors",
	abstract = "
The Internet's Domain Name System (DNS) is one of the core services on
the Internet. Every web page visit requires a series of DNS queries, and
large DNS failures may have cascading consequences, leading to
unreachability of major websites and services. In this paper we present
TsuNAME, a vulnerability in some DNS resolvers that can be exploited to
carry out denial-of-service attacks against authoritative
servers. TsuNAME occurs when domain names are misconfigured with cyclic
dependent DNS records, and when vulnerable resolvers access these
misconfigurations, they begin looping and send DNS queries rapidly to
authoritative servers and other resolvers (we observe up to 5.6k
queries/s).  Using production data from .nz , the country-code top-level
domain (ccTLD) of New Zealand, we show how only two misconfigured
domains led to a 50\% increase on overall traffic volume for the .nz's
authoritative servers. To understand this event, we reproduce TsuNAME
using our own configuration, demonstrating that it could be used to
overwhelm any DNS Zone. A solution to TsuNAME requires changes to some
recursive resolver software, by including loop detection codes and
caching cyclic dependent records. To reduce the impact of TsuNAME in the
wild, we have developed and released CycleHunter, an open-source tool
that allows for authoritative DNS server operators to detect cyclic
dependencies and prevent becoming victims of TsuNAME attacks.  We use
CycleHunter to evaluate roughly 184 million domain names in 7 large,
top-level domains (TLDs), finding 44 cyclic dependent NS records (likely
from configuration errors) used by 1.4k domain names. However, a well
motivated adversary could easily weaponize this vulnerability. We have
notified resolver developers and many TLD operators of this
vulnerability. Working together with Google, we helped them in mitigate
their vulnerability to TsuNAME.",
}

Downloads: 0