Researchers Uncover ‘DNSBomb’ – A New PDoS Attack Exploiting Legitimate DNS Features

Scientists have unveiled the details of a powerful and efficient new technique called the “pulsing denial-of-service” (PDoS) attack, which leverages DNS queries and responses to achieve an attack amplification factor of 20,000 times.

The attack, known as DNSBomb (CVE-2024-33655), exploits legitimate DNS features such as query rate limiting, response timeouts, query aggregation, and maximum response size settings. These mechanisms enable the creation of synchronized response streams using a specially designed authoritative server and a vulnerable recursive DNS resolver.

Mechanism of the DNSBomb Attack

Experts explain that DNSBomb utilizes numerous widely implemented DNS mechanisms to accumulate queries sent at a low rate, increase their size in responses, and concentrate all responses into short, high-volume bursts to simultaneously overwhelm target systems.

Attack Strategy

The attack model involves IP spoofing multiple DNS queries to a domain controlled by the attacker and delaying responses to aggregate numerous replies. The objective of DNSBomb is to overwhelm the victim with periodic bursts of amplified traffic that are difficult to detect.

Presentation of Findings and Protective Measures

The research findings were presented at the 45th IEEE Symposium on Security and Privacy held last week in San Francisco, and previously at GEEKCON 2023 in Shanghai in October 2023.

The Internet Systems Consortium (ISC), which develops and maintains the BIND software suite, stated that their software is not vulnerable to DNSBomb. Additionally, existing mitigation measures are sufficiently effective in minimizing the risks.