sb-eu logo
Story image

Vulnerability discovered in DNS recursive resolvers that can be abused to launch DDoS attacks against any victim

Researchers have discovered a vulnerability in the implementation of DNS recursive resolvers that can be abused to launch disruptive DDoS attacks against any victim, says cyber security and application delivery solutions provider Radware. 

The attack leveraging the vulnerability has been dubbed NXNSAttack by the researchers, who are academics from the Tel Aviv University and The Interdisciplinary Center in Israel.

Unlike DDoS floods or application-level DDoS attacks that directly target and impact a host or a service, the NXNSAttack targets the domain name resolution capability of its victims.

Like the NXDOMAIN or DNS Water Torture attack2, the DDoS attack is aimed at disrupting the authoritative servers of the domain by overloading them with invalid requests using random domain request floods through recursive DNS resolvers.

"This attack is hard to detect and mitigate at the authoritative server because the requests originate from legitimate recursive DNS servers. By disrupting name resolution for the domain, attackers effectively block access to all services provided under the domain," explains Radware. 

"New clients will not be able to resolve the hostname of the service while under attack because they have no way of locating the IP address to connect to the service."

Unlike the limited 3x packet amplification factor of the NXDOMAIN attack, the NXNSAttack provides packet amplification factors ranging from 74x when attacking a subdomain ( up to 1621x when targeting a recursive resolver.

The bandwidth amplification factors range between 21x for subdomain attacks and 163x when targeting a recursive resolver. Targeting root and top-level domain servers results in a packet amplification factor of 1071x and a bandwidth amplification factor of 99x. With high amplification rates and flexible targeting, NXNSAttack is a very capable attack vector which can be performed at scale.

Radware says researchers have since disclosed the vulnerability and approached vendors and providers who have already patched their software and servers.

The following DNS server implementations had a fix available at the moment of disclosure: ISC BIND (CVE-2020-8616), NLnet labs Unbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), and CZ.NIC Knot Resolver (CVE-2020-12667).

In addition, the following open DNS recursive resolver providers have updated their services to mitigate the use of the vulnerability for DDoS attacks: Cloudflare, Google, Amazon, Microsoft, Oracle (DYN),Verisign, IBM Quad9, and ICANN. Other software and service providers have followed the announcement with fixes and patching.

"However, it is safe to assume that not all recursive resolvers, private and public, have been or ever will be patched," Radware says.

"The exposure to attacks or abuse of the vulnerability is not limited to just public recursive resolvers but also impacts private recursive resolvers located at ISPs, clouds or within organisations."

Radware says malicious actors have leveraged different kinds of bots in the past to launch random domain flood attacks and can leverage the same bots to conduct a NXNSAttack which disrupts any victim outside of the resolvers’ owners. 

"Easy access to source code for botnets such as Mirai that provide “out-of-the-box” support for random domain floods adds to the potential to perform these disruptive DDoS attacks," it explains.

"The victims have no immediate grasp on the risk they are exposed to. Any component of the authoritative DNS infrastructure, including the second level domain (, top level domain (.com, .info, …), and root name servers (‘.’) can be disrupted through recursive DNS resolvers that are outside of their control. Victims are at the mercy of DNS service providers."

Radware says recursive DNS providers can protect their own infrastructure and protect the internet from attacks by applying the fix provided by DNS software suppliers or by implementing the Max1Fetch solution proposed by the researchers in their paper. 

Alternatively, recursive DNS providers can protect their infrastructure against random domain floods through the aggressive use of DNSSEC-validated cache (RFC8198) or by leveraging Radware DefensePro for DNS protection.

"DNS over HTTPS (DOH) or DNS over TLS (DOT) does not providing protection against the NXNSAttack. The DOH and DOT protocols are aimed at providing privacy on the client side of the name resolving and does nothing to protect the authoritative side of the DNS infrastructure," Radware says. 

"Worst case, DOH and DOT can be leveraged as evasion techniques to hide random domain name floods from upstream network sensors and protections inside TLS encrypted data streams, rendering detection or mitigation of malicious DNS attacks impossible," it explains.

Radware says increasing the Time To Live (TTL) value of the domain zone will increase the resistance of services under the domain against authoritative domain server disruption, but will do so at the cost of the agility of the domain. 

"Moreover, this will only provide a solution for those clients behind resolvers that have cached the resolution at an earlier time and will not provide a complete or indefinite solution whilst the attack is ongoing.

"Resourceful and pervasive attackers can create an attack infrastructure to target any subdomain (, potentially impacting other subdomains provided by the same domain name server or service providers. Given enough resources, attacks can target top level domains such as ‘.com’, ‘.info’, ‘.us’, ‘.ca’, ‘.de’, etc. and even attempt to disrupt the internet’s root name servers."

Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More
Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More
Story image
McAfee finds vulnerabilities in 'temi' the videoconferencing robot
Temi is commonly used in environments including businesses, healthcare, retail, hospitality, and other environments including the home.More
Story image
Gartner predicts 75% of CEOs to be liable for cyber-physical security incidents by 2024
The nature of CPSs means incidents can quickly lead to physical harm to people, destruction of property or environmental disasters – and Gartner’s new research indicates that these incidents will increase drastically in the next few years if the lack of spending on these assets continues.More
Story image
Acronis announces new security endpoint solution
The solution is an integration of data protection and cybersecurity which provides customers with effective endpoint protection in a landscape where the pointlessness of perimeter security is becoming more pronounced.More
Story image
Malware and email scams targeting employees spread rapidly in Q2
"Businesses must stay alert and should employ defense-in-depth tactics and equip themselves with multilayered security mechanisms, including high-sensor spam filters and a VPN connection, which would prevent malicious pages from opening."More