seductrice.net

universo-virtual.com

buytrendz.net

thisforall.net

benchpressgains.com

qthzb.com

mindhunter9.com

dwjqp1.com

secure-signup.net

ahaayy.com

tressesindia.com

puresybian.com

krpano-chs.com

cre8workshop.com

hdkino.org

peixun021.com

qz786.com

utahperformingartscenter.org

worldqrmconference.com

shangyuwh.com

eejssdfsdfdfjsd.com

playminecraftfreeonline.com

trekvietnamtour.com

your-business-articles.com

essaywritingservice10.com

hindusamaaj.com

joggingvideo.com

wandercoups.com

wormblaster.net

tongchengchuyange0004.com

internetknowing.com

breachurch.com

peachesnginburlesque.com

dataarchitectoo.com

clientfunnelformula.com

30pps.com

cherylroll.com

ks2252.com

prowp.net

webmanicura.com

sofietsshotel.com

facetorch.com

nylawyerreview.com

apapromotions.com

shareparelli.com

goeaglepointe.com

thegreenmanpubphuket.com

karotorossian.com

publicsensor.com

taiwandefence.com

epcsur.com

mfhoudan.com

southstills.com

tvtv98.com

thewellington-hotel.com

bccaipiao.com

colectoresindustrialesgs.com

shenanddcg.com

capriartfilmfestival.com

replicabreitlingsale.com

thaiamarinnewtoncorner.com

gkmcww.com

mbnkbj.com

andrewbrennandesign.com

cod54.com

luobinzhang.com

faithfirst.net

zjyc28.com

tongchengjinyeyouyue0004.com

nhuan6.com

kftz5k.com

oldgardensflowers.com

lightupthefloor.com

bahamamamas-stjohns.com

ly2818.com

905onthebay.com

fonemenu.com

notanothermovie.com

ukrainehighclassescort.com

meincmagazine.com

av-5858.com

yallerdawg.com

donkeythemovie.com

corporatehospitalitygroup.com

boboyy88.com

miteinander-lernen.com

dannayconsulting.com

officialtomsshoesoutletstore.com

forsale-amoxil-amoxicillin.net

generictadalafil-canada.net

guitarlessonseastlondon.com

lesliesrestaurants.com

mattyno9.com

nri-homeloans.com

rtgvisas-qatar.com

salbutamolventolinonline.net

sportsinjuries.info

wedsna.com

rgkntk.com

bkkmarketplace.com

zxqcwx.com

breakupprogram.com

boxcardc.com

unblockyoutubeindonesia.com

fabulousbookmark.com

beat-the.com

guatemala-sailfishing-vacations-charters.com

magie-marketing.com

kingstonliteracy.com

guitaraffinity.com

eurelookinggoodapparel.com

howtolosecheekfat.net

marioncma.org

oliviadavismusic.com

shantelcampbellrealestate.com

shopleborn13.com

topindiafree.com

v-visitors.net

djjky.com

053hh.com

originbluei.com

baucishotel.com

33kkn.com

intrinsiqresearch.com

mariaescort-kiev.com

mymaguk.com

sponsored4u.com

crimsonclass.com

bataillenavale.com

searchtile.com

ze-stribrnych-struh.com

zenithalhype.com

modalpkv.com

bouisset-lafforgue.com

useupload.com

37r.net

autoankauf-muenster.com

bantinbongda.net

bilgius.com

brabustermagazine.com

indigrow.org

miicrosofts.net

mysmiletravel.com

selinasims.com

spellcubesapp.com

usa-faction.com

hypoallergenicdogsnames.com

dailyupdatez.com

foodphotographyreviews.com

cricutcom-setup.com

chprowebdesign.com

katyrealty-kanepa.com

tasramar.com

bilgipinari.org

four-am.com

indiarepublicday.com

inquick-enbooks.com

iracmpi.com

kakaschoenen.com

lsm99flash.com

nana1255.com

ngen-niagara.com

technwzs.com

virtualonlinecasino1345.com

wallpapertop.net

casino-natali.com

iprofit-internet.com

denochemexicana.com

eventhalfkg.com

medcon-taiwan.com

life-himawari.com

myriamshomes.com

nightmarevue.com

healthandfitnesslives.com

androidnews-jp.com

allstarsru.com

bestofthebuckeyestate.com

bestofthefirststate.com

bestwireless7.com

britsmile.com

declarationintermittent.com

findhereall.com

jingyou888.com

lsm99deal.com

lsm99galaxy.com

moozatech.com

nuagh.com

patliyo.com

philomenamagikz.net

rckouba.net

saturnunipessoallda.com

tallahasseefrolics.com

thematurehardcore.net

totalenvironment-inthatquietearth.com

velislavakaymakanova.com

vermontenergetic.com

kakakpintar.com

jerusalemdispatch.com

begorgeouslady.com

1800birks4u.com

2wheelstogo.com

6strip4you.com

bigdata-world.net

emailandco.net

gacapal.com

jharpost.com

krishnaastro.com

lsm99credit.com

mascalzonicampani.com

sitemapxml.org

thecityslums.net

topagh.com

flairnetwebdesign.com

rajasthancarservices.com

bangkaeair.com

beneventocoupon.com

noternet.org

oqtive.com

smilebrightrx.com

decollage-etiquette.com

1millionbestdownloads.com

7658.info

bidbass.com

devlopworldtech.com

digitalmarketingrajkot.com

fluginfo.net

naqlafshk.com

passion-decouverte.com

playsirius.com

spacceleratorintl.com

stikyballs.com

top10way.com

yokidsyogurt.com

zszyhl.com

16firthcrescent.com

abogadolaboralistamd.com

apk2wap.com

aromacremeria.com

banparacard.com

bosmanraws.com

businessproviderblog.com

caltonosa.com

calvaryrevivalchurch.org

chastenedsoulwithabrokenheart.com

cheminotsgardcevennes.com

cooksspot.com

cqxzpt.com

deesywig.com

deltacartoonmaps.com

despixelsetdeshommes.com

duocoracaobrasileiro.com

fareshopbd.com

goodpainspills.com

hemendekor.com

kobisitecdn.com

makaigoods.com

mgs1454.com

piccadillyresidences.com

radiolaondafresca.com

rubendorf.com

searchengineimprov.com

sellmyhrvahome.com

shugahouseessentials.com

sonihullquad.com

subtractkilos.com

valeriekelmansky.com

vipasdigitalmarketing.com

voolivrerj.com

worldhealthstory.com

zeelonggroup.com

1015southrockhill.com

10x10b.com

111-online-casinos.com

191cb.com

3665arpentunitd.com

aitesonics.com

bag-shokunin.com

brightotech.com

communication-digitale-services.com

covoakland.org

dariaprimapack.com

freefortniteaccountss.com

gatebizglobal.com

global1entertainmentnews.com

greatytene.com

hiroshiwakita.com

iktodaypk.com

jahatsakong.com

meadowbrookgolfgroup.com

newsbharati.net

platinumstudiosdesign.com

slotxogamesplay.com

strikestaruk.com

techguroh.com

trucosdefortnite.com

ufabetrune.com

weddedtowhitmore.com

12940brycecanyonunitb.com

1311dietrichoaks.com

2monarchtraceunit303.com

601legendhill.com

850elaine.com

adieusolasomade.com

andora-ke.com

bestslotxogames.com

cannagomcallen.com

endlesslyhot.com

iestpjva.com

ouqprint.com

pwmaplefest.com

qtylmr.com

rb88betting.com

buscadogues.com

1007macfm.com

born-wild.com

growthinvests.com

promocode-casino.com

proyectogalgoargentina.com

wbthompson-art.com

whitemountainwheels.com

7thavehvl.com

developmethis.com

funkydogbowties.com

travelodgegrandjunction.com

gao-town.com

globalmarketsuite.com

blogshippo.com

hdbka.com

proboards67.com

outletonline-michaelkors.com

kalkis-research.com

thuthuatit.net

buckcash.com

hollistercanada.com

docterror.com

asadart.com

vmayke.org

erwincomputers.com

dirimart.org

okkii.com

loteriasdecehegin.com

mountanalog.com

healingtaobritain.com

ttxmonitor.com

nwordpress.com

11bolabonanza.com

Web Giants Scrambled to Head Off a Dangerous DDoS Technique - Best News

Top 5 This Week

Related Posts

Web Giants Scrambled to Head Off a Dangerous DDoS Technique

In October 2016, a botnet of hacked security cameras and internet routers called Mirai aimed a gargantuan flood of junk traffic at the servers of Dyn, one of the companies that provides the global directory for the web known as the Domain Name System or DNS. The attack took down Amazon, Reddit, Spotify, and Slack temporarily for users along the East Coast of the US. Now one group of researchers says that a vulnerability in DNS could allow a similar scale of attack, but requiring far fewer hacked computers. For months, the companies responsible for the internet's phone book have been rushing to fix it.

Today researchers from Tel Aviv University and the Interdisciplinary Center of Herzliya in Israel released new details of a technique they say could allow a relatively small number of computers to carry out distributed denial of service attacks on a massive scale, overwhelming targets with fraudulent requests for information until they're knocked offline. The DDoS technique, which the researchers called NXNSAttack, takes advantage of vulnerabilities in common DNS software. DNS converts the domain names you click or type into the address bar of your browser into IP addresses. But the NXNSAttack can cause an unwitting DNS server to perform hundreds of thousands of requests every time a hacker's machine sends just one.

That multiplicative effect means that an attacker could use just a handful of hacked machines, or even their own devices, to carry out powerful DDoS attacks on DNS servers, potentially causing Mirai-scale disruption. "Mirai had like 100,000 IoT devices, and here I think you can have the same impact with only a few hundred devices," says Lior Shafir, one of the Tel Aviv University researchers, whose work was supervised by Yehuda Afek and IDC Herzliya's Anat Bremler-Barr. "It's a very serious amplification," Shafir adds. "You could use this to knock down critical parts of the internet."

Or at least you could have a few months ago. Since February, the researchers have alerted a broad collection of companies responsible for the internet's infrastructure to their findings. The researchers say those firms, including Google, Microsoft, Cloudflare, Amazon, Dyn (now owned by Oracle), Verisign, and Quad9 have all updated their software to address the problem, as have several makers of the DNS software those companies use.

While DNS amplification attacks aren't new, NXNSAttack represents a particularly explosive one. In some cases, the researchers say, it's capable of multiplying the bandwidth of just a few machines as much as 1,600-fold. And even after months of coordinated patching, corners of the internet may still remain vulnerable to the technique, says Dan Kaminsky, the chief scientist at security firm White Ops and a well-known DNS researcher. In 2008, Kaminsky found a fundamental flaw in DNS that threatened to allow hackers to redirect users trying to visit a website to a fraudulent site of their choosing, and similarly launched a coordinated fix across major DNS providers. Even then, it took months for Kaminsky's flaw—one that was far more serious than NXNSAttack—to be close to fully patched.

"There are a million of these things, and even if some of them are patched, there will always be one that hasn’t gotten an update," Kaminsky says of the DNS servers distributed around the internet. "This is very good work about how DNS can fail."

To grasp how the NXNSAttack works, it helps to understand the larger hierarchical structure of DNS across the internet. When a browser reaches out for a domain like google.com, it checks a DNS server to find out that domain's IP address, a number like 64.233.191.255. Typically those requests are answered by DNS "resolver" servers, controlled by DNS providers and internet service providers. But if those resolvers don't have the right IP address on hand, they ask an "authoritative" server associated with specific domains for an answer.

Most PopularScienceWatch Neuralink’s First Human Subject Demonstrate His Brain-Computer Interface

Emily Mullin

Backchannel8 Google Employees Invented Modern AI. Here’s the Inside Story

Steven Levy

SecurityHackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds

Andy Greenberg

GearThe Omega x Swatch Snoopy MoonSwatch Has Landed

Jeremy White

The NXNSAttack abuses the trusted communications between those different layers of the DNS hierarchy. It requires not only access to a collection of PCs or other devices—anything from a single computer to a botnet—but also the creation of DNS servers for a domain; call it "attacker.com." (The researchers argue anyone can put that set-up together for just a few dollars.) Then the attacker would send a barrage of requests from their devices for the domain they control, or more specifically a series of fake subdomains like 123.attacker.com, 456.attacker.com and so on, using strings of random numbers to constantly vary the subdomain requests.

Those attempted web visits would trigger a DNS provider's resolver server to check with an authoritative server—which in this case is the DNS server under the attacker's control. Instead of merely providing an IP address, that authoritative server would tell the resolver that it doesn't know the destination of the requested subdomains and direct the resolver to ask another DNS authoritative server for the IP address instead, passing off the request to a target domain of the attacker's choosing.

The researchers found that they could refer every request for one of those nonexistent subdomains at their own attacker.com domain to hundreds of nonexistent subdomains that all belong to a target domain, such as victim.com. Those hundreds of requests could allow a hacker to overwhelm not only the resolver DNS servers by tricking them into sending more requests than the servers can handle—potentially taking down part of the DNS provider's service, as happened in the Mirai botnet attack on Dyn—but also flooding the victim's authoritative DNS servers that receive those requests, which might take down that target victim.com site.

A well-defended target would likely detect that a single malicious DNS server was behind the attack and stop responding to requests referred from the attacker's domain. But the University of Tel Aviv's Shafir points out that attackers can use several domains to vary the attack and prolong the pain. "You can have dozens like this and change them every few minutes," Shafir says. "It's very easy."

In another variant of the attack, the researchers found a hacker could even direct NXNSAttack at nonexistent top-level domains—fake suffixes of web addresses like ".fake"—to attack the so-called root servers that keep track of where authoritative servers can be found for top-level domains like .com and .gov. While those root servers are generally designed to have very large bandwidth, the researchers say they could request more fake domains from those target servers than they could for fake subdomains in the other versions of their attack, potentially multiplying every request by more than a thousandfold and threatening large portions of the entire web.

"When you try to attack a root server, the attack becomes much more destructive," says Shafir. "We cannot prove that they can be knocked down because they're very strong servers, but the amplification is very high and these are the most important assets. Parts of the internet would not work at all in this worst case."

Most PopularScienceWatch Neuralink’s First Human Subject Demonstrate His Brain-Computer Interface

Emily Mullin

Backchannel8 Google Employees Invented Modern AI. Here’s the Inside Story

Steven Levy

SecurityHackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds

Andy Greenberg

GearThe Omega x Swatch Snoopy MoonSwatch Has Landed

Jeremy White

When WIRED reached out to a collection of the internet's main DNS providers, Google, Microsoft, and Amazon didn't immediately respond. Dyn's parent company Oracle said it was looking into the research. "The NXNSAttack has a large amplification factor for some DNS implementations, but for Cloudflare the amplification was small and it has been reduced by recent changes to our DNS software," wrote Cloudflare's chief technology officer John Graham-Cumming. "Because DNS amplification is a common problem that the industry deals with, Cloudflare already had in place mitigations to prevent our service being used for large amplification attacks."

John Todd, the executive director of the nonprofit DNS provider Quad9, wrote in an email that "this threat is/was quite real," but also noted that it's "somewhat complex to deploy and leaves some fingerprints," since the attacker would have to run their own DNS domains. He also noted that most enterprise DNS servers are set to respond only to IP addresses from within the company that owns them, though internet service providers are more likely to be vulnerable to having their DNS servers hijacked by the NXNSAttack technique.

Given the widespread patching already in place, NXNSAttack likely represents less of a critical threat than it does a reminder of how the infrastructure of the internet has to be constantly maintained and protected.

"From my perspective, I'm just ecstatic that the kind of cooperation that I got back in 2008 is still happening in 2020," White Ops' Kaminsky says. "The internet is not something that would survive if it weren't being actively patched back together every time someone set something on fire."


More Great WIRED StoriesThe confessions of Marcus Hutchins, the hacker who saved the internetWho invented the wheel? And how did they do it?27 days in Tokyo Bay: What happened on the Diamond PrincessWhy farmers are dumping milk, even as people go hungryTips and tools for cutting your hair at home👁 AI uncovers a potential Covid-19 treatment. Plus: Get the latest AI news🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Popular Articles