DNSBomb Attack Can Amplify DDoS by 20,000 Times

By Riley ThompsonTechnology News

DNSBomb Attack Can Amplify DDoS by 20,000 Times

A group of researchers from Tsinghua University (China) has revealed a new method of DDoS attacks called DNSBomb. This technique leverages DNS traffic to organize powerful DDoS attacks.

Essentially, DNSBomb is a modern variation of a twenty-year-old attack. Back in 2003, a study described a DDoS attack using TCP pulses. These attacks use repeated short bursts of high-volume traffic to impact a target system or service. Such pulses can last several hundred milliseconds and occur every few seconds, with the overall attack lasting hours or even days. Typically, pulsing DDoS attacks are harder to detect.

DNSBomb uses a similar approach but with a different implementation: it exploits DNS software and modern DNS server infrastructure, including recursive resolvers and authoritative nameservers.

How DNSBomb Works

DNSBomb operates by sending a slow stream of specially crafted DNS requests to DNS servers. These servers forward the data, increase packet sizes, and accumulate them, eventually releasing everything at once as a powerful burst of DNS traffic aimed directly at the target.

According to the researchers, in their tests, they used DNSBomb against 10 popular DNS programs and 46 public DNS services, achieving attack power up to 8.7 Gbps. The original DNS traffic was amplified by 20,000 times its initial size.

Impact and Vulnerabilities

The attack results in complete packet loss or degraded service quality on both stateless and stateful connections (TCP, UDP, and QUIC).

β€œWe concluded that any system or mechanism capable of aggregating anything (such as DNS and CDN) can be used to create pulsing DoS traffic,” the study authors wrote.

The researchers have notified all affected parties, and 24 organizations are already working on fixes or have released patches. Some of the world’s most well-known DNS providers are among those impacted.

CVE Identifiers and Affected Software

The DNSBomb issue has been assigned the main CVE identifier CVE-2024-33655, along with several others related to specific DNS solutions:

  • Knot: CVE-2023-49206
  • Simple DNS Plus: CVE-2023-49205
  • Technitium: CVE-2023-28456, CVE-2023-49203
  • MaraDNS: CVE-2023-49204
  • Dnsmasq: CVE-2023-28450, CVE-2023-49207
  • CoreDNS: CVE-2023-28454, CVE-2023-49202
  • SDNS: CVE-2023-49201

More detailed information about the issue will be presented by the experts at the IEEE Symposium on Security & Privacy, which is taking place in San Francisco this week.

Leave a Reply