DNSBomb: A New DoS Threat Targeting Critical Internet Infrastructure

A new type of Distributed Denial of Service (DDoS) attack, identified by researchers at Tsinghua University, has emerged, targeting the Domain Name System (DNS) infrastructure. This attack, known as DNSBomb, manipulates DNS traffic in a way that threatens critical internet systems.


DNSBomb leverages the recursive nature of DNS resolvers to amplify traffic exponentially. Here’s how it operates:

  • Recursive DNS Reflection Attack: Attackers forge malicious DNS queries, reflecting them off DNS resolvers across the network.
  • Traffic Amplification: The recursive nature of these queries amplifies traffic up to 8.7 Gbps, flooding the targeted infrastructure.
  • Target Systems: DNS servers and Content Delivery Networks (CDNs) are the most vulnerable, as they aggregate and distribute traffic across the internet.
How DNSBomb Attack Works — Source: xakep.ru

What are the Technical Details of DNSBomb?

  • Query Crafting: Attackers use well-crafted DNS queries to exploit the recursive nature of DNS resolvers. By manipulating the authority and response sections of DNS queries, they create an amplification effect, significantly increasing traffic volumes.
  • Amplification Factor: Researchers at Tsinghua University verified that all DNS resolvers on the internet are vulnerable to this attack. Small-scale experiments show a peak pulse magnitude approaching 8.7 Gbps and a bandwidth amplification factor exceeding 20,000x.

How Severe Can the Impact Be?

  • Traffic Volume: Up to 8.7 Gbps, enough to cripple even the most robust infrastructures.
  • Service Degradation: Significant packet loss and latency, leading to reduced service quality for end-users.
  • Operational Disruption: DNS servers and CDNs face operational failures, causing many dependent services to come to a standstill.
  • Connection Types: Affects stateful and stateless connections, including TCP, UDP, and QUIC.

What Defensive Mechanisms Can Be Employed?

  • Rate Limiting and Filtering: Implement rate filtering on DNS queries to mitigate malicious traffic volumes.
  • DNS Resolver Security: Harden the security parameters of DNS resolvers to prevent exploitation.
  • Regular Updates: Regularly update DNS software to patch known vulnerabilities.

How Have Vendors Responded to DNSBomb?

As a result of this research, effective fixes were designed and disclosed to affected vendors. This work has led to acknowledgments by 24 vendors, including BIND, Unbound, PowerDNS, and Knot maintainers. In total, 10 CVE-IDs were allocated for vulnerabilities discovered as part of this research.

What Tools Does SOCRadar Offer for Defense?

To effectively safeguard against DDoS attacks, it’s crucial to understand their mechanisms and analyze prevailing tactics. SOCRadar offers a DoS Resilience tool for free to measure your domain’s or subnet’s resilience against DoS attacks. After assessing your strengths and weaknesses, you can utilize the SOCRadar Attack Surface Management module to take appropriate action.

SOCRadar DoS Resilience Module

Why is DNSBomb a Significant Threat?

DNSBomb represents a significant leap in attack techniques, threatening critical internet infrastructure and drawing considerable attention. Protecting information systems requires a technical understanding and robust defense strategies. Staying updated with industry changes is essential to maintaining the integrity and reliability of our digital systems.

For more information on DDoS attacks and mitigation methods, visit SOCRadar’s blog post.

Originally published on SOCRadar’s blog on May 24, 2024: