New on RIPE Labs: NXNSAttack: Upgrade Resolvers to Stop New Kind of Random Subdomain Attack
Dear colleagues, This article by Petr Špaček of CZ.NIC describes a newly discovered DNS protocol vulnerability that affects all recursive DNS resolvers. NXNSAttack allows the execution of random subdomain attacks using the DNS delegation mechanism, resulting in a big packet amplification factor. Please read more about this on RIPE Labs: https://labs.ripe.net/Members/petr_spacek/nxnsattack-upgrade-resolvers-to-st... Kind regards, Mirjam Kühne RIPE NCC
This is not a “newly discovered vulnerability. This was presented at DNS OARC 21 by Florian Maury in 2015 https://indico.dns-oarc.net/event/21/contributions/301/attachments/272/492/s..., and also details the fixes applied to resolvers at the time. As Florian also points out the generic vulnerability of unbounded work flows was identified by Dr Paul Mockapetris in RFC1034 in 1987. thanks, Geoff
On 21 May 2020, at 12:43 am, Mirjam Kuehne <mir@ripe.net> wrote:
Dear colleagues,
This article by Petr Špaček of CZ.NIC describes a newly discovered DNS protocol vulnerability that affects all recursive DNS resolvers. NXNSAttack allows the execution of random subdomain attacks using the DNS delegation mechanism, resulting in a big packet amplification factor.
Please read more about this on RIPE Labs:
https://labs.ripe.net/Members/petr_spacek/nxnsattack-upgrade-resolvers-to-st...
Kind regards, Mirjam Kühne RIPE NCC
Hi Geoff On Thu, May 21, 2020 at 05:49:43AM +1000, Geoff Huston wrote:
This is not a “newly discovered vulnerability. This was presented at DNS OARC 21 by Florian Maury in 2015 https://indico.dns-oarc.net/event/21/contributions/301/attachments/272/492/s..., and also details the fixes applied to resolvers at the time.
As Florian also points out the generic vulnerability of unbounded work flows was identified by Dr Paul Mockapetris in RFC1034 in 1987.
This one is along similar lines but different. This attack bypassed the limits on recursion and indirection that were added by the previous one. Mukund
On 20. 05. 20 22:29, Mukund Sivaraman wrote:
Hi Geoff
On Thu, May 21, 2020 at 05:49:43AM +1000, Geoff Huston wrote:
This is not a “newly discovered vulnerability. This was presented at DNS OARC 21 by Florian Maury in 2015 https://indico.dns-oarc.net/event/21/contributions/301/attachments/272/492/s..., and also details the fixes applied to resolvers at the time.
As Florian also points out the generic vulnerability of unbounded work flows was identified by Dr Paul Mockapetris in RFC1034 in 1987.
This one is along similar lines but different. This attack bypassed the limits on recursion and indirection that were added by the previous one.
Let me post my reply from the blog comments also here. There are certainly similarities and authors have acknowledged previous work by Florian Maury in the NXNSAttack paper. Allow me to quote the NXNSAttack paper https://cyber-security-group.cs.tau.ac.il/dns-ns-paper.pdf here: Maury [18] presents a different attack that also ex- ploits the delegations of name-servers in a referral re- sponse. However, the attack (called iDNS attack) PAF is at most 10x. In iDNS the attacker’s name-server sends self-delegations (back and forth to the attacker’s name- server) up to an infinite depth. A major difference from our work is that the glueless name-servers in the iDNS attack are never used against an external server such as a victim name-server. Some measures have been taken by different DNS vendors such as BIND and UNBOUND following the disclosure of iDNS described in [18], how- ever these measures do not affect and do not weaken the NXNSAttack. Unbounded work in any implementation is surely a bad idea and Paul Mockapetris was surely right, there are no doubts about this. Having said that I do not agree that NXNSAttack can be dismissed as nothing new. Researchers found an exploitable flaw in several DNS resolver implementations, and several vendors released software with mitigation for NXNSAttack, so it is not just theoretical problem, and surely not the same as in 2015 because mitigations introduced back then (see CVE-2014-8500, CVE-2014-8601, CVE-2014-8602) did not save us in 2020. On a more generic note, attempting to categorize all "unbounded work problems" as "the same flaw" is equivalent to declaring all these flaws equivalent to halting problem from computability theory - that is technically correct but really not helpful for anyone except for computability theory researchers. This view is reinforced by fact that MITRE CVE classification has special categories for variants of this problem (CWE-405, CWE-406, CWE-1050 are first three I found right now). That very strongly suggests security community cares enough to distinguish individual "insufficiently bounded work" problems no matter what protocol or software it affects. To conclude: No matter if you consider this novel attack or not please upgrade if your software is affected. Petr Špaček @ CZ.NIC P.S. Statement in the article that "[NXNSAttack] affects all recursive DNS resolvers" is overgeneralization I apologize for it, I'm reaching out to Ralf Weber so we can agree on a better wording.
Moin! On 20 May 2020, at 16:43, Mirjam Kuehne wrote:
This article by Petr Špaček of CZ.NIC describes a newly discovered DNS protocol vulnerability that affects all recursive DNS resolvers. That is not exactly true and while I normally would not have bothered to correct that, but I had to answer quite a few customer questions yesterday, so here we are. Akamai/Nominum Cacheserve and Akamai/Xerocole AnswerX are not affected by this. We had limits in the software for this in the Cacheserve case from day one. Would appreciate if you could correct that in the article.
So long -Ralf —-- Ralf Weber
participants (5)
-
Geoff Huston
-
Mirjam Kuehne
-
Mukund Sivaraman
-
Petr Špaček
-
Ralf Weber