Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

TsuNAME Vulnerability Can Be Exploited for DDoS Attacks on DNS Servers

Some DNS resolvers are affected by a vulnerability that can be exploited to launch distributed denial-of-service (DDoS) attacks against authoritative DNS servers, a group of researchers warned this week.

Some DNS resolvers are affected by a vulnerability that can be exploited to launch distributed denial-of-service (DDoS) attacks against authoritative DNS servers, a group of researchers warned this week.

The flaw, dubbed TsuNAME, was discovered by researchers at SIDN Labs (the R&D team of the registry for .nl domains), InternetNZ (the registry for .nz domains), and the Information Science Institute at the University of Southern California.

Impacted organizations have been notified and given 90 days to take action before the vulnerability was disclosed. Google and Cisco, both of which provide widely used DNS services, have deployed patches for TsuNAME, but the researchers believe many servers are still vulnerable to attacks.

An attacker can abuse recursive resolvers affected by TsuNAME to send a large volume of queries to targeted authoritative servers, such as the ones of TLD operators.

TsuNAME occurs on servers where there is cyclic dependency, a configuration error caused by the NS records for two zones pointing to each other.

“TsuNAME occurs when domain names are misconfigured with cyclic dependent DNS records, and when vulnerable resolvers access these misconfigurations, they begin looping and send DNS queries rapidly to authoritative servers and other resolvers,” the researchers explained in a paper detailing the vulnerability.

They also explained in a separate advisory, “Resolvers vulnerable to TsuNAME will send non-stop queries to authoritative servers that have cyclic dependent records. While one resolver is unlikely to overwhelm an authoritative server, the aggregated effect from many looping, vulnerable recursive resolvers may as well do.”

Such an incident was observed in 2020, when authoritative servers for New Zealand’s .nz TLD saw an increase of 50 percent in queries. An analysis showed that the surge was caused by just two domains that were misconfigured with cyclic dependencies.

Advertisement. Scroll to continue reading.

“Notice that a simple misconfiguration of two domains lead to 50% traffic growth. One may wonder what would happen if a motivated attack would carry out this with hundreds or thousands of domains,” the researchers said.

At least two other similar incidents were observed in the past years: one involving a European country code TLD (ccTLD), which recorded a tenfold traffic growth due to the incident; and one involving Google sending a large volume of queries to the servers of an anycast operator.

The researchers have shared recommendations for both authoritative server operators and resolver software developers, and they have also released an open source tool, named CycleHunter, that can be used by organizations to detect problematic configurations.

A dedicated website has been set up for the TsuNAME vulnerability.

Related: At Least 100 Million Devices Affected by “NAME:WRECK” DNS Flaws in TCP/IP Stacks

Related: NSA, DHS Issue Guidance on Protective DNS

Related: CISA Reminds Federal Agencies to Use Its DNS Service

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.