Attacking with Something That Does Not Exist: Low-Rate Flood with 'Proof of Non-Existence' Can Exhaust DNS Resolver CPU
arxiv(2024)
摘要
NSEC3 is a proof of non-existence in DNSSEC, which provides an authenticated
assertion that a queried resource does not exist in the target domain. NSEC3
consists of alphabetically sorted hashed names before and after the queried
hostname. To make dictionary attacks harder, the hash function can be applied
in multiple iterations, which however also increases the load on the DNS
resolver during the computation of the SHA-1 hashes in NSEC3 records. Concerns
about the load created by the computation of NSEC3 records on the DNS resolvers
were already considered in the NSEC3 specifications RFC5155 and RFC9276. In
February 2024, the potential of NSEC3 to exhaust DNS resolvers' resources was
assigned a CVE-2023-50868, confirming that extra iterations of NSEC3 created
substantial load. However, there is no published evaluation of the attack and
the impact of the attack on the resolvers was not clarified.
In this work we perform the first evaluation of the NSEC3-encloser attack
against DNS resolver implementations and find that the NSEC3-encloser attack
can still create a 72x increase in CPU instruction count, despite the victim
resolver following RFC5155 recommendations in limiting hash iteration counts.
The impact of the attack varies across the different DNS resolvers, but we show
that with a sufficient volume of DNS packets the attack can increase CPU load
and cause packet loss. We find that at a rate of 150 malicious NSEC3 records
per second, depending on the DNS implementation, the loss rate of benign DNS
requests varies between 2.7
implementation the NSEC3-encloser attack along with evaluation against five
popular DNS resolver implementations. We also develop the first analysis how
each NSEC3 parameter impacts the load inflicted on the victim resolver during
NSEC3-encloser attack.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要