As part of a new study, Prof. Yehuda Afek of TAU’s Blavatnik School of Computer Science, Blavatnik Interdisciplinary Cyber Research Center and the Checkpoint Institute and Prof. Anat Bremler-Barr, Vice Dean of IDC's Efi Arazi School of Computer Science, with the help of TAU doctoral student Lior Shafir, provide an in-depth description of the new technique that may have allowed a small number of computers to carry out a DDoS attack on a massive scale, which is dangerous for critical infrastructure.
In addition to their study, the researchers also contacted Google, Microsoft, Cloudflare, Amazon, Dyn (now owned by Oracle), Verisign, and Quad9, leading them to update their DNS software in response to the threat. Consequently, , Prof. Afek and Prof. Bremler-Barr have been responsible for stopping hundreds of cyberattacks.
Referencing a major cyberattack in 2016 that crippled Amazon, Reddit, Spotify and Slack along the US east coast, the researchers suggest the cause may have been due to the weakness within the DNS.
“The DNS is the essential Internet directory. In fact, without the DNS, the Internet cannot function. As part of a study of various aspects of the DNS, we discovered to our surprise a very serious breach that could attack the DNS and disable large portions of the network,” Prof. Bremler-Barr explained.
"The attack in 2016 used over 1M IoT devices, whereas here we see the same impact with only a few hundred," added Prof. Afek. "We are talking about a major amplification, a major cyberattack that could disable critical parts of the internet.”
Dubbed “NXNSAttack” (Non Existent Name Server Attack), the newly discovered technique takes advantage of exploits in common DNS software that converts the domain names you click or type into the address bar of your browser into IP addresses. The NXNSAttack may lead a DNS server to do hundreds of thousands of requests based on the hacker's one request, crashing the system.
“To mount the NXNSattack,” Prof. Afek notes, a hacker acquires for a price or simply penetrates, an authoritative server, redirecting the resolver to send hundreds of thousands of requests to the servers.
“The attacker sends such a request multiple times over a long period of time, which generates a tsunami of requests between the DNS servers, which are subsequently overwhelmed and unable to respond to the legitimate requests of actual legitimate users.”
“A hacker that discovered this vulnerability would have used it to generate an attack targeting either a resolver or an authoritative DNS server in particular locations in the DNS system. In either case, the attack server would be incapacitated and its services blocked, unable to function due to the overwhelming number of requests it got. It would prevent legitimate users from reaching the resources on the Internet they sought,” Shafir described.
"Our discovery has prevented major potential damage to web services used by millions of users worldwide. The 2016 cyberattack, which is considered the greatest in history, knocked down much of the Internet in the US, but an attack like the one we now prevented could have been more than 800 times more powerful,” concludes Prof. Afek.