TsuKing: Coordinating DNS Resolvers and Queries into Potent DoS Amplifiers

Abstract

In this paper, we present a new DNS amplification attack, named TsuKing. Instead of exploiting individual DNS resolvers independently to achieve an amplification effect, TsuKing deftly coordinates numerous vulnerable DNS resolvers and crafted queries together to form potent DoS amplifiers. We demonstrate that with TsuKing, an initial small amplification factor can increase exponentially through the internal layers of coordinated amplifiers, resulting in an extremely powerful amplification attack. TsuKing has three variants, including DNSRetry, DNSChain, and DNSLoop, all of which exploit a suite of inconsistent DNS implementations to achieve enormous amplification effect. With comprehensive measurements, we found that about 14.5% of 1.3M open DNS resolvers are potentially vulnerable to TsuKing. Real-world controlled evaluations indicated that attackers can achieve a packet amplification factor of at least 3,700× (DNSChain). We have reported vulnerabilities to affected vendors and provided them with mitigation recommendations. We have received positive responses from 6 vendors, including Unbound, MikroTik, and AliDNS, and 3 CVEs were assigned. Some of them are implementing our recommendations.

Publication
In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. Copenhagen, Denmark, November 26–30, 2023. (Acceptance rate: 158/795=19.9%, Acceptance rate in first round: ??%, Acceptance rate in second round: ??%).
* ⓘ Both authors contributed equally to the paper.
* Presented in OARC 41.
* Presented in Black Hat Europe 2023

Overview

In this paper, we present the TsuKing attack.

More details coming soon.

TsuKing: https://tsuking.net/

CVE (3)

Presentation