TsuNAME vulnerability and DDoS against DNS. Moura, G. C. M., Castro, S., Heidemann, J., & Hardaker, W. Technical Report ISI-TR-740, USC/Information Sciences Institute, May, 2021. Paper abstract bibtex The Internet's Domain Name System (DNS) is one of the core services on the Internet. Every web page visit requires a series of DNS queries, and large DNS failures may have cascading consequences, leading to unreachability of major websites and services. In this paper we present TsuNAME, a vulnerability in some DNS resolvers that can be exploited to carry out denial-of-service attacks against authoritative servers. TsuNAME occurs when domain names are misconfigured with cyclic dependent DNS records, and when vulnerable resolvers access these misconfigurations, they begin looping and send DNS queries rapidly to authoritative servers and other resolvers (we observe up to 5.6k queries/s). Using production data from .nz , the country-code top-level domain (ccTLD) of New Zealand, we show how only two misconfigured domains led to a 50% increase on overall traffic volume for the .nz's authoritative servers. To understand this event, we reproduce TsuNAME using our own configuration, demonstrating that it could be used to overwhelm any DNS Zone. A solution to TsuNAME requires changes to some recursive resolver software, by including loop detection codes and caching cyclic dependent records. To reduce the impact of TsuNAME in the wild, we have developed and released CycleHunter, an open-source tool that allows for authoritative DNS server operators to detect cyclic dependencies and prevent becoming victims of TsuNAME attacks. We use CycleHunter to evaluate roughly 184 million domain names in 7 large, top-level domains (TLDs), finding 44 cyclic dependent NS records (likely from configuration errors) used by 1.4k domain names. However, a well motivated adversary could easily weaponize this vulnerability. We have notified resolver developers and many TLD operators of this vulnerability. Working together with Google, we helped them in mitigate their vulnerability to TsuNAME.
@TechReport{Moura21a,
author = "Giovane C. M. Moura and Sebastian Castro and John Heidemann and
Wes Hardaker",
title = "{TsuNAME} vulnerability and {DDoS} against {DNS}",
institution = "USC/Information Sciences Institute",
year = 2021,
month = may,
sortdate = "2020-05-11",
project = "ant, lacanic, paaddos, ddidd",
jsubject = "network_security",
number = "ISI-TR-740",
jlocation = "johnh: pafile",
keywords = "anycast, dns, tcp, latency, root, .nl-tld,tsuname, vunerability",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Moura21a.html",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Moura21a.pdf",
otherurl = "https://www.isi.edu/publications/trpublic/pdfs/isi-tr-740.pdf",
otherotherurl = "https://tsuname.io/tech_report.pdf",
myorganization = "USC/Information Sciences Institute",
copyrightholder = "authors",
abstract = "
The Internet's Domain Name System (DNS) is one of the core services on
the Internet. Every web page visit requires a series of DNS queries, and
large DNS failures may have cascading consequences, leading to
unreachability of major websites and services. In this paper we present
TsuNAME, a vulnerability in some DNS resolvers that can be exploited to
carry out denial-of-service attacks against authoritative
servers. TsuNAME occurs when domain names are misconfigured with cyclic
dependent DNS records, and when vulnerable resolvers access these
misconfigurations, they begin looping and send DNS queries rapidly to
authoritative servers and other resolvers (we observe up to 5.6k
queries/s). Using production data from .nz , the country-code top-level
domain (ccTLD) of New Zealand, we show how only two misconfigured
domains led to a 50\% increase on overall traffic volume for the .nz's
authoritative servers. To understand this event, we reproduce TsuNAME
using our own configuration, demonstrating that it could be used to
overwhelm any DNS Zone. A solution to TsuNAME requires changes to some
recursive resolver software, by including loop detection codes and
caching cyclic dependent records. To reduce the impact of TsuNAME in the
wild, we have developed and released CycleHunter, an open-source tool
that allows for authoritative DNS server operators to detect cyclic
dependencies and prevent becoming victims of TsuNAME attacks. We use
CycleHunter to evaluate roughly 184 million domain names in 7 large,
top-level domains (TLDs), finding 44 cyclic dependent NS records (likely
from configuration errors) used by 1.4k domain names. However, a well
motivated adversary could easily weaponize this vulnerability. We have
notified resolver developers and many TLD operators of this
vulnerability. Working together with Google, we helped them in mitigate
their vulnerability to TsuNAME.",
}
Downloads: 0
{"_id":"XkuteS5FeaGNiscH5","bibbaseid":"moura-castro-heidemann-hardaker-tsunamevulnerabilityandddosagainstdns-2021","author_short":["Moura, G. C. M.","Castro, S.","Heidemann, J.","Hardaker, W."],"bibdata":{"bibtype":"techreport","type":"techreport","author":[{"firstnames":["Giovane","C.","M."],"propositions":[],"lastnames":["Moura"],"suffixes":[]},{"firstnames":["Sebastian"],"propositions":[],"lastnames":["Castro"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]},{"firstnames":["Wes"],"propositions":[],"lastnames":["Hardaker"],"suffixes":[]}],"title":"TsuNAME vulnerability and DDoS against DNS","institution":"USC/Information Sciences Institute","year":"2021","month":"May","sortdate":"2020-05-11","project":"ant, lacanic, paaddos, ddidd","jsubject":"network_security","number":"ISI-TR-740","jlocation":"johnh: pafile","keywords":"anycast, dns, tcp, latency, root, .nl-tld,tsuname, vunerability","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Moura21a.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Moura21a.pdf","otherurl":"https://www.isi.edu/publications/trpublic/pdfs/isi-tr-740.pdf","otherotherurl":"https://tsuname.io/tech_report.pdf","myorganization":"USC/Information Sciences Institute","copyrightholder":"authors","abstract":"The Internet's Domain Name System (DNS) is one of the core services on the Internet. Every web page visit requires a series of DNS queries, and large DNS failures may have cascading consequences, leading to unreachability of major websites and services. In this paper we present TsuNAME, a vulnerability in some DNS resolvers that can be exploited to carry out denial-of-service attacks against authoritative servers. TsuNAME occurs when domain names are misconfigured with cyclic dependent DNS records, and when vulnerable resolvers access these misconfigurations, they begin looping and send DNS queries rapidly to authoritative servers and other resolvers (we observe up to 5.6k queries/s). Using production data from .nz , the country-code top-level domain (ccTLD) of New Zealand, we show how only two misconfigured domains led to a 50% increase on overall traffic volume for the .nz's authoritative servers. To understand this event, we reproduce TsuNAME using our own configuration, demonstrating that it could be used to overwhelm any DNS Zone. A solution to TsuNAME requires changes to some recursive resolver software, by including loop detection codes and caching cyclic dependent records. To reduce the impact of TsuNAME in the wild, we have developed and released CycleHunter, an open-source tool that allows for authoritative DNS server operators to detect cyclic dependencies and prevent becoming victims of TsuNAME attacks. We use CycleHunter to evaluate roughly 184 million domain names in 7 large, top-level domains (TLDs), finding 44 cyclic dependent NS records (likely from configuration errors) used by 1.4k domain names. However, a well motivated adversary could easily weaponize this vulnerability. We have notified resolver developers and many TLD operators of this vulnerability. Working together with Google, we helped them in mitigate their vulnerability to TsuNAME.","bibtex":"@TechReport{Moura21a,\n\tauthor = \t\"Giovane C. M. Moura and Sebastian Castro and John Heidemann and\n \t\tWes Hardaker\",\n\ttitle = \t\"{TsuNAME} vulnerability and {DDoS} against {DNS}\",\n\tinstitution = \t\"USC/Information Sciences Institute\",\n\tyear = \t\t2021,\n\tmonth = \tmay,\n\tsortdate = \"2020-05-11\",\n\tproject = \"ant, lacanic, paaddos, ddidd\",\n\tjsubject = \"network_security\",\n\tnumber = \t\"ISI-TR-740\",\n\tjlocation = \t\"johnh: pafile\",\n\tkeywords = \t\"anycast, dns, tcp, latency, root, .nl-tld,tsuname, vunerability\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Moura21a.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Moura21a.pdf\",\n\totherurl = \"https://www.isi.edu/publications/trpublic/pdfs/isi-tr-740.pdf\",\n\totherotherurl = \"https://tsuname.io/tech_report.pdf\",\n\tmyorganization =\t\"USC/Information Sciences Institute\",\n\tcopyrightholder = \"authors\",\n\tabstract = \"\nThe Internet's Domain Name System (DNS) is one of the core services on\nthe Internet. Every web page visit requires a series of DNS queries, and\nlarge DNS failures may have cascading consequences, leading to\nunreachability of major websites and services. In this paper we present\nTsuNAME, a vulnerability in some DNS resolvers that can be exploited to\ncarry out denial-of-service attacks against authoritative\nservers. TsuNAME occurs when domain names are misconfigured with cyclic\ndependent DNS records, and when vulnerable resolvers access these\nmisconfigurations, they begin looping and send DNS queries rapidly to\nauthoritative servers and other resolvers (we observe up to 5.6k\nqueries/s). Using production data from .nz , the country-code top-level\ndomain (ccTLD) of New Zealand, we show how only two misconfigured\ndomains led to a 50\\% increase on overall traffic volume for the .nz's\nauthoritative servers. To understand this event, we reproduce TsuNAME\nusing our own configuration, demonstrating that it could be used to\noverwhelm any DNS Zone. A solution to TsuNAME requires changes to some\nrecursive resolver software, by including loop detection codes and\ncaching cyclic dependent records. To reduce the impact of TsuNAME in the\nwild, we have developed and released CycleHunter, an open-source tool\nthat allows for authoritative DNS server operators to detect cyclic\ndependencies and prevent becoming victims of TsuNAME attacks. We use\nCycleHunter to evaluate roughly 184 million domain names in 7 large,\ntop-level domains (TLDs), finding 44 cyclic dependent NS records (likely\nfrom configuration errors) used by 1.4k domain names. However, a well\nmotivated adversary could easily weaponize this vulnerability. We have\nnotified resolver developers and many TLD operators of this\nvulnerability. Working together with Google, we helped them in mitigate\ntheir vulnerability to TsuNAME.\",\n}\n\n","author_short":["Moura, G. C. M.","Castro, S.","Heidemann, J.","Hardaker, W."],"bibbaseid":"moura-castro-heidemann-hardaker-tsunamevulnerabilityandddosagainstdns-2021","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Moura21a.html"},"keyword":["anycast","dns","tcp","latency","root",".nl-tld","tsuname","vunerability"],"metadata":{"authorlinks":{}}},"bibtype":"techreport","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["anycast","dns","tcp","latency","root",".nl-tld","tsuname","vunerability"],"search_terms":["tsuname","vulnerability","ddos","against","dns","moura","castro","heidemann","hardaker"],"title":"TsuNAME vulnerability and DDoS against DNS","year":2021}