NXNSAttack: A New DDoS Attack on Recursive DNS Resolvers

The purpose of a Distributed Denial of Service or DDoS attack is to prevent an online service from working properly by overloading a target service, say a web server, such that valid users either experience poor performance or, taken to the extreme, can’t connect to the target service at all. Whatever the degree of a cyberattack, the consequences are loss of service and loss of revenue which is particularly problematic for ecommerce sites so having DDoS protection in place before your organization suffers a cyberattack is crucial for ensuring business continuity and minimizing risk.

But the worst thing about DDoS attacks is that just when you’ve built up your DDoS protection against known attacks, along comes yet another new attack. Such has been the case with NXNSAttack, a DNS DDoS attack that relies on a built-in weakness of the Domain Name System (DNS).

NXNSAttack, a New Reflection Attack

NXNSAttack is a type of Denial of Service assault called a “reflection attack.” Reflection attacks make use of a third-party service to route DDoS attack traffic to a victim. The attacker sends packets with a fake source IP address set to their victim’s IP address requesting, for example, the time from a Network Time Protocol (NTP) server. The third-party service acts as a mirror, sending the response packets to the victim and not the attacker. If there are enough response packets, the victim’s service will be slowed or even completely overwhelmed to the point of not being accessible at all.

Launching an NXNSAttack Assault

To mount an NXNSAttack DNS attack requires the bad guys to have access to a domain name server they control and that is authoritative for a domain they own; let’s call that domain attack.com. Next, the attackers make a DNS request to a third-party DNS server for the IP address of a device in a subdomain of attack.com, for example, sub1.attack.con.

Since the third-party DNS server doesn’t know anything about attack.com, it sends a request to the DNS server that is the root server for .com domains asking for the IP address of the authoritative DNS server for the attack.com domain. The third-party DNS server then asks the attacker’s authoritative DNS server to resolve the address of sub1.attack.com.

Now, if the authoritative attack.com DNS server was a normal DNS server it would simply return the IP address of a machine in its own domain but in this case, the attack.com DNS server responds effectively saying “I don’t know, ask these servers” and provides a list of non-existent DNS servers in the domain that is being cyberattacked (we’ll call that domain victim.com). These non-existent DNS servers are listed to simply generate DNS requests and the third-party DNS server obligingly goes off and makes the requests.

The Domain Name Service and Recursive Resolvers

To optimize service performance, many DNS servers were designed to be recursive resolvers, that is, they attempt to resolve the IP address of every DNS server they are given so the IP addresses can be cached and the server never has to resolve them again. Thus, the third-party DNS server now asks the root .com server for the IP address of the authoritative DNS server for victim.com and requests the resolution of each of the fake nameservers.

Since all of the DNS server names provided by the attacker’s DNS server are fake, the third-party DNS server winds up pounding the authoritative DNS server for victim.com with IP address resolution requests, which multiplies the number of DNS requests by 10 to 20 times; this is called the amplification factor. In a full-scale NXNSAttack the attackers use two stages of redirection from the attacker’s nameserver to square the number of requests to achieve an astounding amplification factor of 1,620. The resulting cyberattack traffic created by only a few computers can easily overwhelm the victim’s DNS servers making their systems unresolvable and thereby denying service.

The NXNSAttack DNS attack was discovered in mid-May 2020 by Israeli researchers and some DNS vendors have already released fixes but, in practice, additional DDoS protection defenses are required to ensure that the consequences of this type of cyberattack are minimized.

How Can A10 Help Mitigate DDoS Attacks?

An attack such as NXNSAttack can be overwhelming and stop your business in its tracks but A10’s Thunder® Threat Protection System (TPS™) uses advanced defense strategies that protect against all kinds of cyberattack including new, novel DDoS attacks. Visit A10’s DDoS Protection solution page to learn more.

To learn more, download the complete A10 Networks report, Q2 2020: The State of DDoS Weapons, a guide to the top IoT port searches and reflector searches performed by attackers, and the companion infographic, DDoS Weapons & Attack Vectors.


July 8, 2020

About A10 Staff