- Arbor Networks - DDoS Experts
TsuNAME Zone Cyclic Dependency-Induced Recursive DNS Query Cascade
ASERT Threat Summary
Date/Time: 11May2021 1445UTC
Distribution: TLP: WHITE
In mid-May 2021, security researchers at SIDN Labs, InternetNZ, and USC/ISI released a research paper describing a sabotage-based DDoS attack methodology dubbed ‘TsuNAME’ that targeted authoritative DNS server. The researchers posited a rather complex attack scenario that involved the deliberate misconfiguration of NS records in multiple DNS domains registered by the attackers with a targeted authoritative DNS hosting service, such that the NS records for each domain pathologically refer to one another in what is termed a ‘zone cyclic dependency.’. Furthermore, the attackers would also be required to identify and leverage significant numbers of abusable open DNS recursive servers and/or DNS forwarders incapable of detecting and caching responses for cyclical zone dependencies.
Attacker motivations for targeting a particular authoritative DNS hosting service could include rendering a particular domain or set of domains unresolvable, thus constituting a DDoS attack against specific customers of the DNS hosting service; performing direct DDoS extortion of the authoritative DNS hoster in question; etc.
The TsuNAME researchers theorize that once attackers have successfully registered the sabotaged domains and provisioned the poisoned zonefiles on the targeted authoritative DNS hosting service, they can subsequently launch a classic reflected DNS query flood for the NS record of one of the sabotaged domains, thus inducing the previously identified population of abusable open DNS recursors/forwarders to oscillate between the looped NS records and thereby generate endless cascades of recursive DNS queries directed towards the authoritative DNS server(s) in question. The resultant recursive DNS query cascade would constitute a DDoS attack against the targeted authoritative DNS server(s), thus having a negative impact on the availability of the targeted authoritative DNS hosting service.
It should be noted that popular modern recursive DNS server software will detect zone cyclic dependencies in incoming query/response patterns and will therefore cache the looped NS records in order to avoid propagating the induced DNS query flood to the targeted authoritative DNS server(s). As the researchers note in their paper describing the proposed TsuNAME attack methodology, the few recorded instances of this type of pathological DNS query behavior taking place in the wild involved the unhappy conjunction of accidentally misconfigured DNS zonefiles with older versions of common DNS server software and/or the Google DNS public open recursive DNS service. The researchers state that they worked with both the Google DNS and Cisco OpenDNS teams to mitigate the potential for zone cyclic dependency abuse in their respective public services, as well as with a small number of operators running older, abusable versions of DNS server software.
While the researchers who posted the TsuNAME attack methodology did not explicitly call attention to this fact, network operators should be aware that it is possible that embedded DNS forwarders in Internet of Things (IoT) Customer-premises equipment (CPE) devices such as consumer-grade broadband access routers may not have the ability to detect and cache cyclic zone dependencies based upon query/response patterns.
Observed cascading DNS query floods resulting from inadvertent DNS zone cyclic dependency errors in DNS zonefile configurations have ranged from a 200 % to 1,000 % relative increase in observed queries-per-second (qps) directed towards affected authoritative DNS servers. In theory, an attacker could potentially achieve significantly higher attack amplification ratios, assuming that a sufficient number of abusable DNS recursors/forwarders that do not check for zone cyclical dependency querying could be identified and leveraged in an attack.
In the case of DNS servers that are authoritative for multiple domains, a successful attack against the actual targeted domain may result in unreachability of resources belonging to unaffiliated domains for which the targeted DNS servers are also authoritative. This is especially true for authoritative DNS hosting providers; these organizations constitute a primary potential target pool for TsuNAME DNS DDoS attacks (while noting that the ultimate goal of an attacker might be to negatively impact the availability of end-customer domains and affiliated resources).
The collateral impact of TsuNAME is potentially quite high for organizations whose abusable DNS recursive resolvers/forwarders are leveraged as reflectors in attacks against authoritative DNS servers. Abuse of DNS recursive resolvers/forwarders can result in significant degradation or even a complete outage of recursive DNS query lookups for legitimate users of these systems, thus rendering affected user populations effectively unable to access the Internet.
The logistical complexity of implementing and maintaining the necessary infrastructure to launch TsuNAME DNS DDoS attacks represents a potential barrier to widespread adoption of this attack methodology. Zone cyclic dependency detection and caching mechanisms incorporated in modern versions of popular DNS server/forwarding software allow DNS server operators to ameliorate the impact of this DNS DDoS attack methodology on targeted servers.
The risk posted by zone cyclical dependencies has been recognized by the DNS operational community since at least 2004. The above-mentioned detection/caching mechanisms, as well as the promulgation of BCPs for DNS zone canonicalization and sanitization, also serve as barriers to attackers seeking to leverage the TsuNAME DNS DDoS attack methodology.
Operators of authoritative DNS servers must implement best current practices (BCPs) for zone canonicalization and sanitation prior to enabling name resolution services for newly registered and provisioned zones. They should also audit the zonefiles for all zones for which they are authoritative in order to identify any zone cyclic dependencies. Name resolution services for affected zones must be disabled until remediation is possible. An open-source DNS zonefile auditing tool called CycleHunter has been made available by the TsuNAME researchers to check zonefiles for zone cyclic dependencies.
Operators of DNS recursive servers/forwarders DNS servers should immediately contact the developers of their preferred DNS server/forwarder implementations to determine whether detection and caching of zone cyclic dependencies in query/response patterns have been implemented in deployed versions. If software updates are indicated to leverage such protections, DNS server/forwarder operators must then rapidly test, validate, and deploy updated versions of their preferred DNS server/forwarder implementations incorporating these protections while simultaneously ensuring that situationally appropriate lab testing, pilot deployment, and change-control procedures are utilized throughout the upgrade process. If developers of a deployed DNS server/forwarder implementation are unable or unwilling to provide updated versions that incorporate the relevant detection and caching mechanisms, it is highly recommended that organizations migrate to alternative implementations that include these protections after following the testing, validation, piloting, and change-control process described above.
DNS forwarders present in IoT CPE devices such as consumer-grade broadband access routers must also be tested, remediated, and/or replaced per the above if they do not incorporate the relevant detection and caching mechanisms to prevent their abuse in TsuNAME DNS DDoS attacks.
All relevant DNS architectural and operational BCPs should be implemented by DNS server operators.
DNS authoritative server operators who suspect that their DNS servers are under a TsuNAME DNS DDoS attack should make use of standard DNS query- and response-analysis techniques, including packet capture, DNS server log analysis, et. al., to identify TsuNAME-style zone cyclic dependency queries oscillating between specific domain(s).
Organizations with business-critical public-facing internet properties should ensure that all relevant network infrastructure, architectural and operational BCPs have been implemented, including situationally specific network access policies that only permit internet traffic via required IP protocols and ports. Internet access network traffic from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links.
DDoS defenses for all public-facing internet properties and supporting infrastructure should be implemented in a situationally appropriate manner, including periodic testing to ensure that any changes to organization’s servers/services/applications are incorporated into its DDoS defense plan. Organic, on-site intelligent DDoS mitigation capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services to ensure maximal responsiveness and flexibility during an attack.
It is imperative that organizations operating mission-critical public-facing internet properties and/or infrastructure ensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attack and are included in periodic, realistic tests of the organization’s DDoS mitigation plan. In many instances, we have encountered situations in which obvious elements such as public-facing Web servers were adequately protected, but authoritative and/or recursive DNS servers, application servers, and other critical service delivery elements were neglected, thus leaving them vulnerable to attack.
Specifics of countermeasure selection, tuning, and deployment will vary based upon the particulars of individual networks/resources.
ASERT Threat Summary: ‘TsuNAME’ Zone Cyclic Dependency-Induced Recursive DNS Query Cascade DDoS Attack Mitigation Recommendations - May 2021 - v1.0.
- Arbor Networks - DDoS Experts
- Attacks and DDoS Attacks