On 20. 05. 20 22:29, Mukund Sivaraman wrote:
> Hi Geoff
> 
> On Thu, May 21, 2020 at 05:49:43AM +1000, Geoff Huston wrote:
>> This is not a “newly discovered vulnerability. This was presented at DNS 
>> OARC 21 by Florian Maury
>> in 2015 
>> https://indico.dns-oarc.net/event/21/contributions/301/attachments/272/492/slides.pdf,
>> and also details the fixes applied to resolvers at the time.
>>
>> As Florian also points out the generic vulnerability of unbounded work flows 
>> was identified by 
>> Dr Paul Mockapetris in RFC1034 in 1987.
> 
> This one is along similar lines but different. This attack bypassed the
> limits on recursion and indirection that were added by the previous one.

Let me post my reply from the blog comments also here.

There are certainly similarities and authors have acknowledged previous work by 
Florian Maury in the NXNSAttack paper. Allow me to quote the NXNSAttack paper 
https://cyber-security-group.cs.tau.ac.il/dns-ns-paper.pdf here:

Maury [18] presents a different attack that also ex-
ploits the delegations of name-servers in a referral re-
sponse. However, the attack (called iDNS attack) PAF
is at most 10x. In iDNS the attacker’s name-server sends
self-delegations (back and forth to the attacker’s name-
server) up to an infinite depth. A major difference from
our work is that the glueless name-servers in the iDNS
attack are never used against an external server such as
a victim name-server. Some measures have been taken
by different DNS vendors such as BIND and UNBOUND
following the disclosure of iDNS described in [18], how-
ever these measures do not affect and do not weaken the
NXNSAttack.

Unbounded work in any implementation is surely a bad idea and Paul Mockapetris 
was surely right, there are no doubts about this.

Having said that I do not agree that NXNSAttack can be dismissed as nothing 
new. Researchers found an exploitable flaw in several DNS resolver 
implementations, and several vendors released software with mitigation for 
NXNSAttack, so it is not just theoretical problem, and surely not the same as 
in 2015 because mitigations introduced back then (see CVE-2014-8500, 
CVE-2014-8601, CVE-2014-8602) did not save us in 2020.

On a more generic note, attempting to categorize all "unbounded work problems" 
as "the same flaw" is equivalent to declaring all these flaws equivalent to 
halting problem from computability theory - that is technically correct but 
really not helpful for anyone except for computability theory researchers. This 
view is reinforced by fact that MITRE CVE classification has special categories 
for variants of this problem (CWE-405, CWE-406, CWE-1050 are first three I 
found right now). That very strongly suggests security community cares enough 
to distinguish individual "insufficiently bounded work" problems no matter what 
protocol or software it affects.

To conclude: No matter if you consider this novel attack or not please upgrade 
if your software is affected.

Petr Špaček  @  CZ.NIC

P.S. Statement in the article that "[NXNSAttack] affects all recursive DNS 
resolvers" is overgeneralization I apologize for it, I'm reaching out to Ralf 
Weber so we can agree on a better wording.

Reply via email to