430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

TsuNAME flaw exposes DNS servers to DDoS attacks

A flaw in some DNS resolvers, tracked as TsuNAME, can allow attackers to launch DDoS attacks against authoritative DNS servers. Researchers at SIDN Labs (the R&D team of the registry for .nl domains), InternetNZ (the registry for .nz domains), and the Information Science Institute at the University of Southern California has discovered a vulnerability, named […]

tsuname

A flaw in some DNS resolvers, tracked as TsuNAME, can allow attackers to launch DDoS attacks against authoritative DNS servers.

Researchers at SIDN Labs (the R&D team of the registry for .nl domains), InternetNZ (the registry for .nz domains), and the Information Science Institute at the University of Southern California has discovered a vulnerability, named TsuNAME, in some DNS resolvers.

The flaw can be exploited by attackers to launch distributed denial-of-service (DDoS) attacks against authoritative DNS servers.

The experts examined the specific case of cyclic dependency, an error that occurs when NS records for two delgations point to each other. NS records define authoritative servers used to resolve a domain, but when a cyclic dependency occurs, the two authoritative servers cannot definitively resolve the domain.

“TsuNAME occurs when domain names are misconfigured with cyclic dependent DNS records, and when vulnerable resolvers access these misconfigurations, they begin looping and send DNS queries rapidly to authoritative servers and other resolvers (we observe up to 5.6k queries/s).” reads the research paper published by the experts.

tsuname

The researchers disclosed the tsuNAME flaw during the DNS OARC35 workshop and shared their findings with impacted organizations giving 90 days to address it before the vulnerability was disclosed.

The experts discovered the flaw while analyzing production data from .nz, the country-code top-level domain (ccTLD) of New Zealand. Experts discovered that two misconfigured domains where the root cause of a 50% increase on overall traffic volume for the .nz’s authoritative servers. The experts reproduced TsuNAME using their own configuration showing how to exploit it to overwhelm any DNS Zone.

“Resolvers vulnerable to TsuNAME will send non-stop queries to authoritative servers that have cyclic dependent records. While one resolver is unlikely to overwhelm an authoritative server, the aggregated effect from many looping, vulnerable recursive resolvers may as well do.” reads an advisory published by the researchers.

Google has already addressed the TsuNAME issue, but many other servers are still vulnerable to DDoS attacks.

The researchers have provided the following recommendations for resolver operators:

“To mitigate the traffic surge from resolvers to authoritative servers caused by the TsuNAME vulnerability, resolver operators should guarantee that their resolvers (i) do not loop in the presence of cyclic dependencies and (ii) cache the results of cyclic dependent records” continues the advisory.

The experts also provided recommendations for authoritative server operators to mitigate the flaw, they suggest detecting and removing cyclic dependencies from their zones. Experts also provided an open-source tool, named CycleHunter, that reads zone files and scrutinize NS records searching for cyclic dependencies.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, TsuNAME)

[adrotate banner=”5″]

[adrotate banner=”13″]