ABSTRACT
We present a new attack, the Disablance, that disrupts the load balancing for authoritative DNS servers. We discovered a prevalent misconfiguration for nameservers and an implementation decision in mainstream DNS software that an adversary can leverage to divert legitimate DNS traffic to a targeted nameserver. Through a systematic evaluation, we confirmed that Disablance is realistic, efficient, and prevalent. In total, 22.24% of the top 1M FQDNs and 3.94% of the top 1M SLDs can be victims of Disablance. Besides, a number of stable open resolvers and several well-known public DNS service providers are also exploitable. Moving forward, we provided suggestions to mitigate the threat of Disablance and responsibly disclosed this issue to service providers. As of the time of writing this paper, several renowned vendors have taken action to fix it.
- Tianxiang Dai, Haya Shulman, and Michael Waidner. 2021. Let’s Downgrade Let’s Encrypt. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security(CCS ’21).Google ScholarDigital Library
- Brij B Gupta and Omkar P Badve. 2017. Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a cloud computing environment. Neural Computing and Applications (2017).Google Scholar
- Fenglu Zhang, Chaoyi Lu, Baojun Liu, Haixin Duan, and Ying Liu. 2022. Measuring the Practical Effect of DNS Root Server Instances: A China-Wide Case Study. In Passive and Active Measurement.Google Scholar
Recommendations
Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS Servers
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityAuthoritative nameservers are delegated to provide the final resource record. Since the security and robustness of DNS are critical to the general operation of the Internet, domain name owners are required to deploy multiple candidate nameservers for ...
Spoof Detection for Preventing DoS Attacks against DNS Servers
ICDCS '06: Proceedings of the 26th IEEE International Conference on Distributed Computing SystemsThe Domain Name System (DNS) is a critical element of the Internet infrastructure. Even a small part of the DNS infrastructure being unavailable for a very short period of time could potentially upset the entire Internet and is thus totally ...
Defending Root DNS Servers against DDoS Using Layered Defenses (Extended)
AbstractDistributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients. The Domain Name System (DNS) is a frequent target of DDoS attacks. Since DNS is a critical infrastructure service, protecting it ...
Comments