TsuNAME vulnerability and DDoS against DNS

Moura, Giovane C. M. and Castro, Sebastian and Heidemann, John and Hardaker, Wes
USC/Information Sciences Institute

citation

Giovane C. M. Moura, Sebastian Castro, John Heidemann and Wes Hardaker 2021. TsuNAME vulnerability and DDoS against DNS. Technical Report ISI-TR-740. USC/Information Sciences Institute. [PDF]

abstract

The Internet’s Domain Name System (DNS) is one of the core services on the Internet. Every web page visit requires a series of DNS queries, and large DNS failures may have cascading consequences, leading to unreachability of major websites and services. In this paper we present TsuNAME, a vulnerability in some DNS resolvers that can be exploited to carry out denial-of-service attacks against authoritative servers. TsuNAME occurs when domain names are misconfigured with cyclic dependent DNS records, and when vulnerable resolvers access these misconfigurations, they begin looping and send DNS queries rapidly to authoritative servers and other resolvers (we observe up to 5.6k queries/s). Using production data from .nz , the country-code top-level domain (ccTLD) of New Zealand, we show how only two misconfigured domains led to a 50% increase on overall traffic volume for the .nz’s authoritative servers. To understand this event, we reproduce TsuNAME using our own configuration, demonstrating that it could be used to overwhelm any DNS Zone. A solution to TsuNAME requires changes to some recursive resolver software, by including loop detection codes and caching cyclic dependent records. To reduce the impact of TsuNAME in the wild, we have developed and released CycleHunter, an open-source tool that allows for authoritative DNS server operators to detect cyclic dependencies and prevent becoming victims of TsuNAME attacks. We use CycleHunter to evaluate roughly 184 million domain names in 7 large, top-level domains (TLDs), finding 44 cyclic dependent NS records (likely from configuration errors) used by 1.4k domain names. However, a well motivated adversary could easily weaponize this vulnerability. We have notified resolver developers and many TLD operators of this vulnerability. Working together with Google, we helped them in mitigate their vulnerability to TsuNAME.

reference

@techreport{Moura21a,
  author = {Moura, Giovane C. M. and Castro, Sebastian and Heidemann, John and Hardaker, Wes},
  title = {{TsuNAME} vulnerability and {DDoS} against {DNS}},
  institution = {USC/Information Sciences Institute},
  year = {2021},
  month = may,
  sortdate = {2020-05-11},
  project = {ant, lacanic, paaddos, ddidd},
  jsubject = {network_security},
  number = {ISI-TR-740},
  jlocation = {johnh: pafile},
  keywords = {anycast, dns, tcp, latency, root, .nl-tld,tsuname, vunerability},
  url = {https://ant.isi.edu/%7ejohnh/PAPERS/Moura21a.html},
  pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Moura21a.pdf},
  otherurl = {https://www.isi.edu/publications/trpublic/pdfs/isi-tr-740.pdf},
  otherotherurl = {https://tsuname.io/tech_report.pdf},
  myorganization = {USC/Information Sciences Institute},
  copyrightholder = {authors}
}