Search This Blog

Showing posts with label DNS. Show all posts

Vulnerability in DNS Servers Discovered By Academics from Israel

A vulnerability in DNS servers that can be exploited to launch DDoS attacks of huge extents was as of late discovered by a team academics from Israel, the attack as indicated by them impacts recursive DNS servers and the procedure of DNS delegation.

In a research paper published, the academics from the Tel Aviv University and The Interdisciplinary Center in Herzliya, Israel, said they figured out how to abuse this delegation procedure for DDoS attacks. 

The NXNSAttack technique has various aspects and varieties, yet the fundamental steps are detailed below:

1) The attacker sends a DNS query to a recursive DNS server. The solicitation is for a domain like "," which is overseen through an attacker-controlled authoritative DNS server. 

2) Since the recursive DNS server isn't approved to resolve this domain, it forwards the operation to the attacker's malicious authoritative DNS server. 

3) The malignant DNS server answers to the recursive DNS server with a message that likens to “I’m delegating this DNS resolving operation to this large list of name servers." The list contains a large number of subdomains for a victim website.

4) The recursive DNS server forwards the DNS inquiry to all the subdomains on the list, giving rise to a surge in traffic for the victim's authoritative DNS server.

The Israeli researchers said they've been working for the past few months with the producers of DNS software; content delivery networks, and oversaw DNS suppliers apply mitigations to DNS servers over the world. 

Affected software incorporates the likes of ISC BIND (CVE-2020-8616), NLnet labs Unbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), and CZ.NIC Knot Resolver (CVE-2020-12667), yet additionally commercial DNS administrations provided by organizations like Cloudflare, Google, Amazon, Microsoft, Oracle (DYN), Verisign, IBM Quad9, and ICANN.

Patches have been discharged over the previous weeks. They incorporate mitigations that keep attackers from mishandling the DNS delegation procedure to flood different DNS servers.

The research team's work has been properly detailed in a scholarly paper entitled "NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities," available for download in PDF format.

4G Network Is Under Attack!

As of yesterday a team of academics published a report on a research conducted that described three attacks against the mobile communication standard LTE (Long Term Evolution), otherwise called the 4G network.

As indicated by the researchers, two of the three attacks are 'passive', which means that they allow an attacker to gather meta-information about the user's activity and in addition to this also enable the attacker to determine what sites a user may visit through his LTE device. Then again the third is a functioning attack or an active attack in other words, that gives the attacker a chance to manipulate data sent to the user's LTE gadget.

Researchers nicknamed the active attack aLTEr in view of its intrusive capacities, which they utilized as a part of their experiments to re-direct users to malevolent sites by altering the DNS packets.
In any case, the researchers said that the regular users have nothing to fear, until further notice as carrying out any of the three attacks requires extremely unique and costly hardware, alongside custom programming, which for the most part puts this kind of attack out of the reach of most cyber criminals.

"We conducted the attacks in an experimental setup in our lab that depends on special hardware and a controlled environment," researchers said. "These requirements are, at the moment, hard to meet in real LTE networks. However, with some engineering effort, our attacks can also be performed in the wild."

The equipment expected to pull off such attacks is fundamentally the same as purported "IMSI catchers" or "Stingray" gadgets, equipment utilized by law enforcement around the globe to trap a target's phone into interfacing with a fake telecommunication tower.

The contrast between an aLTEr attack and a classic IMSI catcher is that the IMSI catchers perform 'passive' MitM attack to decide the target's geo-area, while aLTEr can actually alter what the user views on his/her device.

With respect to the technical details of the three attacks, the three vulnerabilities exist in one of the two LTE layers called the data layer, the one that is known for transporting the user's real information. The other layer is the control layer as that is the one that controls and keeps the user's 4G connection running.

As indicated by researchers, the vulnerabilities exist on the grounds that the data layer isn't secured, so an attacker can capture, change, and after that transfer the altered packets to the actual cell tower.
The research team, made up of three researchers from the Ruhr-University in Bochum, Germany and a specialist from New York University, say they have warned the relevant institutions like the GSM Association (GSMA), 3rd Generation Partnership Project (3GPP), as well as the telephone companies about the issues they had found.

Cautioning that the issue could likewise influence the up and coming version of the 5G standard in its present form. Experts said that the 5G standard incorporates extra security features to forestall aLTEr attacks; however these are as of now discretionary.

The research team has although, published its discoveries in a research paper entitled "Breaking LTE on Layer Two," which they intend to display at the 2019 IEEE Symposium on Security and Privacy , to be held in May 2019 in San Francisco.

Below is a link of a demo of an aLTEr attack recorded by researchers.

DDOS attack brings the Internet to its knees

The fight between a spam fighting company called "Spamhaus" and a web hosting company called "Cyberbunker" has slowed down a majority of the internet by making DNS resolving slow.

The reason behind the attack is that Spamhaus added the IP addresses of cyberbunker to its "spam" list due to Cyberbunker allowing almost any sort of content to be hosted hence also maybe the source for spam. So Cyberbunker attacked back and this attack also affected normal internet users.

The attack was possible because of the large number of vulnerable DNS servers that allow open DNS resolving.Simply put an attack exploiting this type of vulnerability makes use of the vulnerability of the DNS server to increase the intensity of the attack 100 fold.

The origins of these type of attacks goes back to the 1990's to an attack called "smurf attack"

But now the attack method has become more efficient and uses DNS amplification to flood the victim with spoofed requests which are sent to the DNS servers by using a botnet of compromised computers.The attack at its peak reached a speed of 300 Gbps making it the largest DDOS attack in history.

Cyberbunker which claims itself to be a supporter of free speech and defender against the "big bullies" seems to have now have stooped down to their level of using aggressive offensive methods that affect the normal functioning of the internet.This is not the way to go !

The people who run DNS resolvers are also equally responsible for these attacks as its their vulnerable servers that make these attacks possible, the internet community should come up with a PERMANENT solution to this problem.

Please read cloudflare's blog post for a detailed analysis :