Thwarting DDoS Technique that Threatened Large-Scale Cyberattack
The new DDoS technique, which the researchers dubbed NXNSAttack (Non-Existent Name Server Attack) takes advantage of vulnerabilities in common DNS software. DNS converts the domain names you click or type into the address bar of your browser into IP addresses. But the NXNSAttack can cause an unwitting DNS server to perform hundreds of thousands of requests in response to just one hacker’s request.
“The attack in 2016 used over 1 million IoT devices, whereas here, we see the same impact with only a few hundred,” says Afek. “We are talking about a major amplification, a major cyberattack that could disable critical parts of the internet.”
The way it works is that when a client machine tries to reach a certain resource on the internet, it issues a request with the name of the resource to a resolver type DNS server, which is in charge of translating the requested name into an IP address. In order to find the required IP address, the resolver goes into an exchange of messages with several DNS servers of another type, called “authoritative.” The authoritative servers redirect the resolver from one to the other, essentially telling it to “go and ask that one” until the resolver reaches an authoritative server that knows the final answer—the requested IP address.
“To mount the NXNSattack,” continues Afek, “an attacker either acquires for a negligible price or simply penetrates an authoritative server, which would redirect the resolver to send an enormous number of requests to the authoritative servers. This happens while the resolver is trying to answer the particular request that the attacker has crafted.
“The attacker sends such a request multiple times over a long period of time, which generates a tsunami of requests between the DNS servers, which are subsequently overwhelmed and unable to respond to the legitimate requests of actual legitimate users.”
Shafir explains further: “A hacker that discovered this vulnerability would have used it to generate an attack targeting either a resolver or an authoritative DNS server in particular locations in the DNS system. In either case, the attack server would be incapacitated and its services blocked, unable to function due to the overwhelming number of requests it got. It would prevent legitimate users from reaching the resources on the internet they sought.”
The research for the study formed part of Shafir’s Ph.D. work; he built a set up with an authoritative server, on which he simulated an attack on the servers, generating a tsunami of requests between the servers, incapacitating them as a result.
“Our discovery has prevented major potential damage to web services used by millions of users worldwide,” concludes Afek. “The 2016 cyberattack, which is considered the greatest in history, knocked down much of the internet in the U.S. But an attack like the one we now prevented could have been more than 800 times more powerful.”
