Firms like Google and Cloudflare raced to prevent an amplification attack that threatened to take down large portions of the internet with just a few hundred devices.
IN OCTOBER 2016, a botnet of hacked security cameras and internet routers called Mirai aimed a gargantuan flood of junk traffic at the servers of Dyn, one of the companies that provides the global directory for the web known as the Domain Name System or DNS. The attack took down Amazon, Reddit, Spotify, and Slack temporarily for users along the East Coast of the US. Now one group of researchers says that a vulnerability in DNS could allow a similar scale of attack, but requiring far fewer hacked computers. For months, the companies responsible for the internet’s phone book have been rushing to fix it.
Today researchers from Tel Aviv University and the Interdisciplinary Center of Herzliya in Israel released new details of a technique they say could allow a relatively small number of computers to carry out distributed denial of service attacks on a massive scale, overwhelming targets with fraudulent requests for information until they’re knocked offline. The DDoS technique, which the researchers called NXNSAttack, takes advantage of vulnerabilities in common DNS software. DNS converts the domain names you click or type into the address bar of your browser into IP addresses. But the NXNSAttack can cause an unwitting DNS server to perform hundreds of thousands of requests every time a hacker’s machine sends just one.
That multiplicative effect means that an attacker could use just a handful of hacked machines, or even their own devices, to carry out powerful DDoS attacks on DNS servers, potentially causing Mirai-scale disruption. “Mirai had like 100,000 IoT devices, and here I think you can have the same impact with only a few hundred devices,” says Lior Shafir, one of the Tel Aviv University researchers. “It’s a very serious amplification,” Shafir adds. “You could use this to knock down critical parts of the internet.”
Or at least, you could have a few months ago. Since February, the researchers have alerted a broad collection of companies responsible for the internet’s infrastructure to their findings. The researchers say those firms, including Google, Microsoft, Cloudflare, Amazon, Dyn (now owned by Oracle), Verisign, and Quad9 have all updated their software to address the problem, as have several makers of the DNS software those companies use.
While DNS amplification attacks aren’t new, NXNSAttack represents a particularly explosive one. In some cases, the researchers say, it’s capable of multiplying the bandwidth of just a few machines as much as 1,600-fold. And even after months of coordinated patching, corners of the internet may still remain vulnerable to the technique, says Dan Kaminsky, the chief scientist at security firm White Ops and a well-known DNS researcher. In 2008, Kaminsky found a fundamental flaw in DNS that threatened to allow hackers to redirect users trying to visit a website to a fraudulent site of their choosing, and similarly launched a coordinated fix across major DNS providers. Even then, it took months for Kaminsky’s flaw—one that was far more serious than NXNSAttack—to be close to fully patched.
“There are a million of these things, and even if some of them are patched, there will always be one that hasn’t gotten an update,” Kaminsky says of the DNS servers distributed around the internet. “This is very good work about how DNS can fail.”
To grasp how the NXNSAttack works, it helps to understand the larger hierarchical structure of DNS across the internet. When a browser reaches out for a domain like google.com, it checks a DNS server to find out that domain’s IP address, a number like 220.127.116.11. Typically those requests are answered by DNS “resolver” servers, controlled by DNS providers and internet service providers. But if those resolvers don’t have the right IP address on hand, they ask an “authoritative” server associated with specific domains for an answer.
The NXNSAttack abuses the trusted communications between those different layers of the DNS hierarchy. It requires not only access to a collection of PCs or other devices—anything from a single computer to a botnet—but also the creation of DNS servers for a domain; call it “attacker.com.” (The researchers argue anyone can put that set-up together for just a few dollars.) Then the attacker would send a barrage of requests from their devices for the domain they control, or more specifically a series of fake subdomains like 123.attacker.com, 456.attacker.com and so on, using strings of random numbers to constantly vary the subdomain requests.
Those attempted web visits would trigger a DNS provider’s resolver server to check with an authoritative server—which in this case is the DNS server under the attacker’s control. Instead of merely providing an IP address, that authoritative server would tell the resolver that it doesn’t know the destination of the requested subdomains and direct the resolver to ask another DNS authoritative server for the IP address instead, passing off the request to a target domain of the attacker’s choosing.
The researchers found that they could refer every request for one of those nonexistent subdomains at their own attacker.com domain to hundreds of nonexistent subdomains that all belong to a target domain, such as victim.com. Those hundreds of requests could allow a hacker to overwhelm not only the resolver DNS servers by tricking them into sending more requests than the servers can handle—potentially taking down part of the DNS provider’s service, as happened in the Mirai botnet attack on Dyn—but also flooding the victim’s authoritative DNS servers that receive those requests, which might take down that target victim.com site.
A well-defended target would likely detect that a single malicious DNS server was behind the attack and stop responding to requests referred from the attacker’s domain. But the University of Tel Aviv’s Shafir points out that attackers can use several domains to vary the attack and prolong the pain. “You can have dozens like this and change them every few minutes,” Shafir says. “It’s very easy.”
In another variant of the attack, the researchers found a hacker could even direct NXNSAttack at nonexistent top-level domains—fake suffixes of web addresses like “.fake”—to attack the so-called root servers that keep track of where authoritative servers can be found for top-level domains like .com and .gov. While those root servers are generally designed to have very large bandwidth, the researchers say they could request more fake domains from those target servers than they could for fake subdomains in the other versions of their attack, potentially multiplying every request by more than a thousandfold and threatening large portions of the entire web.
“When you try to attack a root server, the attack becomes much more destructive,” says Shafir. “We cannot prove that they can be knocked down because they’re very strong servers, but the amplification is very high and these are the most important assets. Parts of the internet would not work at all in this worst case.”
When WIRED reached out to a collection of the internet’s main DNS providers, Google, Microsoft, and Amazon didn’t immediately respond. Dyn’s parent company Oracle said it was looking into the research. “The NXNSAttack has a large amplification factor for some DNS implementations, but for Cloudflare the amplification was small and it has been reduced by recent changes to our DNS software,” wrote Cloudflare’s chief technology officer John Graham-Cumming. “Because DNS amplification is a common problem that the industry deals with, Cloudflare already had in place mitigations to prevent our service being used for large amplification attacks.”
John Todd, the executive director of the nonprofit DNS provider Quad9, wrote in an email that “this threat is/was quite real,” but also noted that it’s “somewhat complex to deploy and leaves some fingerprints,” since the attacker would have to run their own DNS domains. He also noted that most enterprise DNS servers are set to respond only to IP addresses from within the company that owns them, though internet service providers are more likely to be vulnerable to having their DNS servers hijacked by the NXNSAttack technique.
Given the widespread patching already in place, NXNSAttack likely represents less of a critical threat than it does a reminder of how the infrastructure of the internet has to be constantly maintained and protected.
“From my perspective, I’m just ecstatic that the kind of cooperation that I got back in 2008 is still happening in 2020,” White Ops’ Kaminsky says. “The internet is not something that would survive if it weren’t being actively patched back together every time someone set something on fire.”