We have seen examples of this exploit being used in the wild. The first of our two examples is a malicious DNS query sent from an attacker-controlled host to a victim’s host. The malicious DNS query can be any arbitrary query, but we will explore examples where the query is an attempt to consume all available resources on the target server. If a host has a particularly large profile then it can be an effective denial-of-service vector.

DNS query that tries to consume server resources

To demonstrate this exploit, we have created an example script which will send a DNS query to a victim host. If the victim host has any matching domains then that domain will be added to the response and the DNS query will continue. This means that if the victim host is hosting a large number of domains then it will consume all available resources on the server. The example script below sends a malicious DNS query to www.example.com . This is an arbitrary DNS query chosen for demonstration purposes only, but it is possible for an attacker-controlled host to send any arbitrary malicious DNS query to any other target.

Example 1 - DNS Query for All Available Resources

The first example is an attacker-controlled host sending a DNS query to a victim’s host. The malicious DNS query can be any arbitrary query, but we will explore examples where the query is an attempt to consume all available resources on the target server.
In this scenario, the attacker sends out a malicious DNS query and gets a response back. However, in this case the response is not what was expected as it contains unexpected resource records (we will call these URRs for now). These URRs are unwanted and cause problems for the host receiving them. The URRs can consume the resources allocated to that resource record, or they can cause issues by changing other resource records on that server. If a host has a particularly large profile then it can be an effective denial-of-service vector.
Example 2 - Host Sending URL
The second of our two examples does not include a malicious DNS query from an attacker’s host to another victim’s host, but instead includes a payload from one victim’s machine to another victim’s machine that causes more trouble than just hitting one of them with an HTTP request. In this case, the payload is deliberately crafted by the attackers themselves with some vulnerabilities in mind and designed to go across untrusted IP addresses. When received by its intended target, this payload could lead to information disclosure as well as privilege escalation

DNS: Recursive Attempt to Consume all Resources

The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities.
DNS relies on a distributed database – the DNS namespace – divided into zones. DNS queries are used to look up routing instructions for Internet hosts using the Domain Name System and an IP address. With these routing instructions, it is possible to find the IP addresses of host machines, as well as their hostnames. The Domain Name System also provides a mechanism for querying authoritative name servers and reading configuration settings associated with domain names.

Example 1: DNS query to consume all available resources on the target server

For example, we can send a malicious DNS query to a victim’s host. The purpose of this query is to consume all available resources on the target system by filling up its memory and exhausting network bandwidth. This type of attack is often used with exploits that leverage the User Datagram Protocol (UDP) or Internet Protocol (IP) fragmentation within DNS packets.
If the victim’s host has a particularly large profile, then it will be an effective denial-of-service vector for the immediate exploitation process that follows.
The second example uses an exploit in which an attacker sends a malicious response to a domain name system (DNS) request from their own machine. In this scenario, the attacker sends DNS responses with arbitrary content, but also contains TCP flags set so that when they are completed, they result in exploitation of vulnerable systems on the victim’s local network.

DNS query example

An attacker sends a malicious DNS query to a victim’s host. The malicious DNS query will contain a payload that attempts to consume all available resources on the target server, such as memory or CPU. The payload for this example will be an infinite loop that tries to consume all available resources on the target server.
The second example is similar but has a different payload. Instead of consuming CPU or memory, the payload for this exploit attempts to consume disk space. In this example, the payload is a single file with one byte per line indexed and stored in a file system directory. This single file can then be rapidly written to disk and quickly consume all available disk space.
Both of these examples are carried out by sending queries from the attacker-controlled host directed towards the victim’s host. The difference between these two exploits is how they carry out their attack:
A) A malicious DNS query consumes resources on the victim’s host while an infinite loop fills up available disk space
B) An infinite loop consumes resources on the victim’s host and writes files into a specified directory

Timeline

Published on: 09/21/2022 11:15:00 UTC
Last modified on: 09/23/2022 13:33:00 UTC

References