2018

DNS Unchained: Amplified Application-Layer DoS Attacks Against DNS Authoritatives

Jonas Bushart, Christian Rossow. "DNS Unchained: Amplified Application-Layer DoS Attacks Against DNS Authoritatives". 21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018, Heraklion, Greece.
▶ Abstract

We present DNS Unchained, a new application-layer DoS attack against core DNS infrastructure that for the first time uses amplification. To achieve an attack amplification of 8.51, we carefully chain CNAME records and force resolvers to perform deep name resolutions—effectively overloading a target authoritative name server with valid requests. We identify 178508 potential amplifiers, of which 74.3% can be abused in such an attack due to the way they cache records with low Time-to-Live values. In essence, this allows a single modern consumer uplink to downgrade availability of large DNS setups. To tackle this new threat, we conclude with an overview of countermeasures and suggestions for DNS servers to limit the impact of DNS chaining attacks.

[PDF] [BIB]

Optimizing Recurrent Pulsing Attacks using Application-Layer Amplification of Open DNS Resolvers

Jonas Bushart. "Optimizing Recurrent Pulsing Attacks using Application-Layer Amplification of Open DNS Resolvers". 12th USENIX Workshop on Offensive Technologies (WOOT 18), Baltimore, MD, USA.
▶ Abstract

Shrew attacks or pulsing attacks are low-bandwidth network-level/layer-3 denial-of-service attacks. They target TCP connections by selectively inducing packet loss to affect latency and throughput. We combine the recently presented DNS CNAME-chaining attack [5] with temporal lensing [24], a variant of pulsing attacks, to create a new, harder to block attack. For an attack, thousands of DNS resolvers have to be coordinated. We devise an optimization problem to find the perfect attack and solve it by using a genetic algorithm. The results show pulses created with our attack are 14 times higher than the attacker’s average bandwidth. Finally, we present countermeasures applicable to pulsing and CNAME-chaining, which also apply to this attack.

[PDF] [BIB]

2015

Going Wild: Large-Scale Classification of Open DNS Resolvers

Marc Kührer, Thomas Hupperich, Jonas Bushart, Christian Rossow, Thorsten Holz. "Going Wild: Large-Scale Classification of Open DNS Resolvers". 15th ACM Internet Measurement Conference, IMC 2015, Tokyo, Japan.
▶ Abstract

Since several years, millions of recursive DNS resolvers are-deliberately or not-open to the public. This, however, is counter-intuitive, since the operation of such openly accessible DNS resolvers is necessary in rare cases only. Furthermore, open resolvers enable both amplification DDoS and cache snooping attacks, and can be abused by attackers in multiple other ways. We thus find open recursive DNS resolvers to remain one critical phenomenon on the Internet.

In this paper, we illuminate this phenomenon by analyzing it from two different angles. On the one hand, we study the landscape of DNS resolvers based on empirical data we collected for over a year. We analyze the changes over time and classify the resolvers according to device type and software version. On the other hand, we take the viewpoint of a client and measure the response authenticity of these resolvers. Besides legitimate redirections (e.g., to captive portals or router login pages), we find millions of resolvers to deliberately manipulate DNS resolutions (i.e., return bogus IP address information). To understand this threat in more detail, we systematically analyze non-legitimate DNS responses and reveal open DNS resolvers that manipulate DNS resolutions to censor communication channels, inject advertisements, serve malicious files, perform phishing, or redirect to other kinds of suspicious or malicious activities.

[PDF] [BIB]