DNSBomb: A New Practical-and-Powerful Pulsing DoS Attack Exploiting DNS Queries-and-Responses


DNS employs a variety of mechanisms to guarantee availability, protect security, and enhance reliability. In this paper, however, we reveal that these inherent beneficial mechanisms, including timeout, query aggregation, and response fast-returning, can be transformed into malicious attack vectors. We propose a new practical and powerful pulsing DoS attack, dubbed the DNSBomb attack. DNSBomb exploits multiple widely-implemented DNS mechanisms to accumulate DNS queries that are sent at a low rate, amplify queries into large-sized responses, and concentrate all DNS responses into a short, high-volume periodic pulsing burst to simultaneously overwhelm target systems. Through an extensive evaluation on 10 mainstream DNS software, 46 public DNS services, and around 1.8M open DNS resolvers, we demonstrate all DNS resolvers could be exploited to conduct more practical-and-powerful DNSBomb attacks than previous pulsing DoS attacks. Small-scale experiments show the peak pulse magnitude can approach 8.7Gb/s and the bandwidth amplification factor could exceed 20,000x. Our controlled attacks cause complete packet loss or service degradation on both stateless and stateful connections (TCP, UDP, and QUIC). In addition, we present effective mitigation solutions with detailed evaluations. We have responsibly reported our findings to all affected vendors, and received acknowledgement from 24 of them, which are patching their software using our solutions, such as BIND, Unbound, PowerDNS, and Knot. 10 CVE-IDs are assigned.

In Proceedings of 2024 IEEE Symposium on Security and Privacy. San Francisco, California, May 20–23, 2024. (Acceptance rate: ??%, Acceptance rate in first cycle: ??%, Acceptance rate in second cycle: ??%, Acceptance rate in third cycle: ??%).
* Presented in GeekCon 2023 (Second Prize).
* 40+ news coverage by media, such as The Hacker News, Cyber Security News, and dns-operation


DNSBomb is a new practical and powerful pulsing DoS attack exploiting DNS queries and responses.

We concluded that ANY SYSTEM or MECHANISM, which can aggregate “things”, could be exploited to construct the pulsing DoS traffic, such as DNS and CDN.

Please join us to find more if you can! It is very interesting.

DNSBomb: https://dnsbomb.net/

CVE (11)



Xiang Li
Xiang Li
Ph.D. Candidate in Cyberspace Security (Tsinghua University)

Xiang Li is a 5th-year Ph.D. candidate at the Institute of Network Science and Cyberspace, Tsinghua University, advised by Professors Qi Li and Haixin Duan. His research interests include network security, protocol security, IPv6 security, DNS security, Internet measurement, network & protocol fuzzing, network vulnerability discovery & attack, and underground economy with 18 research papers. As the first author, he has published many research papers at all top-tier security conferences, including Oakland S&P, USENIX Security, CCS, NDSS, and Black Hat (Asia, USA, and Europe). He applied for 11 patents (1 authorized and 5 in checking as the first author). He has obtained over 200 CVE/CNVD/CNNVD vulnerability numbers, more than $11,600 rewards, 330+ GitHub stars, multiple CERT reports, 100+ news coverage, and RFC acknowledgement. He got multiple prizes, such as 1st prize of IPv6 Technology Application Innovation Competition, 2nd prize of GeekCon 2023 DAF Contest, National Scholarship, Wang Dazhong Scholarship, Tsinghua Outstanding Scholarship, and Extraordinary Hacker of GeekCon International 2024.