John Heidemann / Papers / TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS

TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS
Giovane C

Citation

Giovane C. M. Moura, Sebastian Castro, John Heidemann and Wes Hardaker. TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS. Proceedings of the ACM Internet Measurement Conference (Virtual, Nov. 2021), 398–418. [DOI] [PDF] [alt PDF]

Abstract

The Internet’s Domain Name System (DNS) is a part of every web request and e-mail exchange, so DNS failures can be catastrophic, taking out major websites and services. This paper identifies TsuNAME, a vulnerability where some recursive resolvers can greatly amplify queries, potentially resulting in a denial-of-service to DNS services. TsuNAME is caused by cyclical dependencies in DNS records. A recursive resolver repeatedly follows these cycles, coupled with insufficient caching and application-level retries greatly amplify an initial query, stressing authoritative servers. Although issues with cyclic dependencies are not new, the scale of amplification has not previously been understood. We document real-world events in .nz (a country-level domain), where two misconfigured domains resulted in a 50% increase on overall traffic. We reproduce and document root causes of this event through experiments, and demostrate a 500x amplification factor. In response to our disclosure, several DNS software vendors have documented their mitigations, including Google public DNS. For operators of authoritative DNS services we have developed and released CycleHunter, an open-source tool that detect cyclic dependencies and prevent attacks. We use CycleHunter to evaluate roughly 184 million domain names in 7 large, top-level domains (TLDs), finding 44 cyclic dependent NS records used by 1.4k domain names. The TsuNAME vulnerability is weaponizable, since an adversary can easily create cycles to attack the infrastructure of a parent domains. Documenting this threat and its solutions is an important step to ensuring it is fully addressed.

Bibtex Citation

@inproceedings{Moura21b,
  author = {Moura, Giovane C. M. and Castro, Sebastian and Heidemann, John and Hardaker, Wes},
  title = {{TsuNAME}: exploiting misconfiguration and vulnerability to {DDoS} {DNS}},
  booktitle = {Proceedings of the ACM Internet Measurement Conference},
  year = {2021},
  sortdate = {2021-11-02},
  project = {ant, lacanic, paaddos, ddidd},
  jsubject = {network_security},
  pages = {398--418},
  month = nov,
  address = {Virtual},
  publisher = {ACM},
  jlocation = {johnh: pafile},
  keywords = {anycast, dns, tcp, latency, root, .nl-tld,tsuname, vunerability},
  url = {https://ant.isi.edu/%7ejohnh/PAPERS/Moura21b.html},
  pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Moura21b.pdf},
  doi = {https://doi.org/10.1145/3487552.3487824}
}
Copyright © by John Heidemann