Cybersecurity researchers have unveiled a new and potent Denial of Service (DoS) attack, dubbed “DNSBomb.”
This attack leverages the inherent mechanisms of the Domain Name System (DNS) to create a powerful pulsing DoS attack that poses a significant threat to internet infrastructure.
Exploiting DNS Mechanisms
DNSBomb capitalizes on several widely implemented DNS mechanisms, including timeout, query aggregation, and fast-returning response.
These mechanisms, designed to ensure availability, security, and reliability, are ingeniously transformed into malicious attack vectors.
By accumulating DNS queries sent at a low rate and amplifying them into large-sized responses, DNSBomb concentrates all DNS responses into short, high-volume periodic bursts.
This overwhelming pulse can simultaneously cripple target systems, leading to complete packet loss or severe service degradation across various connection types, including TCP, UDP, and QUIC.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
The researchers extensively evaluated DNSBomb on 10 mainstream DNS software, 46 public DNS services, and approximately 1.8 million open DNS resolvers.
The findings were alarming: all DNS resolvers tested could be exploited to conduct more practical and powerful DNSBomb attacks than previous pulsing DoS attacks.
Small-scale experiments demonstrated that the peak pulse magnitude could approach 8.7Gb/s, with a bandwidth amplification factor exceeding 20,000x.
These results highlight the potential for DNSBomb to cause significant disruption to internet services globally.
Mitigation and Industry Response
In response to the discovery, the researchers have proposed effective mitigation solutions and have responsibly reported their findings to all affected vendors.
To date, 24 vendors, including BIND, Unbound, PowerDNS, and Knot, have acknowledged the issue and are actively patching their software using the provided solutions.
Additionally, 10 CVE-IDs have been assigned to address the vulnerabilities exploited by DNSBomb.
- Industry-wide: CVE-2024-33655
- Knot: CVE-2023-49206
- Simple DNS Plus: CVE-2023-49205
- Technitium: CVE-2023-28456 , CVE-2023-49203
- MaraDNS: CVE-2023-49204
- Dnsmasq: CVE-2023-28450 , CVE-2023-49207
- CoreDNS: CVE-2023-28454 , CVE-2023-49202
- SDNS: CVE-2023-49201
The researchers emphasize that any system or mechanism capable of aggregating “things,” such as DNS and Content Delivery Networks (CDNs), could be exploited to construct pulsing DoS traffic.
The cybersecurity community is urged to join the effort in further investigating and mitigating the DNSBomb threat. The findings underscore the importance of continuous vigilance and innovation in the face of evolving cyber threats.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
.webp "Weekly Cyber Security News Letter – Data Breaches, Vulnerability, Cyber Attack & More"){kind=small}
