Description and potential impacts
The attack technique called NXNSAttack, identified by a team of Israeli academics, can be used to target DNS servers and cause a Distributed Denial of Service (DDoS) condition by exploiting a vulnerability identified through the following CVEs:
- CVE-2020-8616 (ISC BIND); CVSS 8.6
- CVE-2020-12662 (NLnet Labs Unbound); CVSS 7.5
- CVE-2020-12667 (NIC.CZ Knot Resolver); CVSS 7.5
- CVE-2020-10995 (PowerDNS Recursor); CVSS 7.5
The attack is one of the most dangerous DDoS techniques known to date due to the amplification factor (from 2 to 1,620 times), which can give rise to a dangerous traffic peak and make the DNS server victim no longer reactive.
As indicated by the authors themselves on the NXNSattack site, the anomaly has such facets that it can be used in different variants.
A typical attack scenario foresees that a malicious attacker can send to a vulnerable DNS resolver a DNS query not present in the cache, asking to resolve the domain to be attacked which is associated to an authoritative DNS server always controlled by the attackers. Since the recursive DNS server is not authorized to resolve that domain, the request is directed to the authoritative DNS server. From the authoritative DNS server the attackers can respond to the recursive DNS server with a suitably prepared delegation message containing a list with thousands of fake subdomains without any IP correspondence. The recursive DNS server is thus prompted to forward DNS requests to all subdomains that have been communicated in the list, generating a significant increase in traffic to the victim’s DNS server.
Products and affected versions
The security flaw allowing the attack impacts the DNS software used by NLnet Labs Unbound, ISC BIND, NIC.CZ Knot Resolver and PowerDNS, as well as the DNS services provided by Google, Microsoft, Cloudflare, Amazon, Oracle (DYN), Verisign, IBM Quad9 and ICANN.
The researchers have informed the major DNS manufacturers who have already released corrective software, among them:
- ISC BIND (CVE-2020-8616)
- NLnet lab Unbound (CVE-2020-12662)
- PowerDNS (CVE-2020-10995)
- CZ.NIC Knot Resolver (CVE-2020-12667)
Since DDoS attacks were the main vector of attacks and cyber incidents recorded by service providers in 2019, it is very important to protect the DNS service and the respective ISP infrastructure by updating the impacted systems and preparing appropriate mitigation activities. These mainly concern proprietary DNS technologies and involve, for example, limiting the number of names resolved during the processing of a single delegation.
In this regard, Microsoft itself issued a security warning (ADV200009) for the vulnerability in question, with useful indications to mitigate the anomaly in the DNS service on Windows.
For further information, please refer to the dedicated website: http://www.nxnsattack.com/
Microsoft security advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200009