1 research outputs found
Does Your DNS Recursion Really Time Out as Intended? A Timeout Vulnerability of DNS Recursive Servers
Parallelization is featured by DNS recursive servers to do time-consuming
recursions on behalf on clients. As common DNS configurations, recursive
servers should allow a reasonable timeout for each recursion which may take as
long as several seconds. However, it is proposed in this paper that recursion
parallelization may be exploited by attackers to compromise the recursion
timeout mechanism for the purpose of DoS or DDoS attacks. Attackers can have
recursive servers drop early existing recursions in service by saturating
recursion parallelization. The key of the proposed attack model is to reliably
prolong service times for any attacking queries. As means of prolong service
times, serval techniques are proposed to effectively avoiding cache hit and
prolonging overall latency of external DNS lookups respectively. The impacts of
saturated recursion parallelization on timeout are analytically provided. The
testing on BIND servers demonstrates that with carefully crafted queries, an
attacker can use a low or moderate level of query load to successfully
overwhelm a target recursive server from serving the legitimate clients