TsuKing: Coordinating DNS Resolvers and Queries into Potent DoS Amplifiers

we present a new DNS amplification attack, named TsuKing. Instead of exploiting individual DNS resolvers indepen- dently to achieve an amplification effect, TsuKing deftly coordi- nates numerous vulnerable DNS resolvers and crafted queries together to form potent DoS amplifiers. We demonstrate that with TsuKing, an initial small amplification factor can increase exponentially through the internal layers of coordinated amplifiers, resulting in an extremely powerful amplification attack. TsuKing has three variants, including DNSRetry, DNSChain, and DNSLoop, all of which exploit a suite of inconsistent DNS implementations to achieve enormous amplification effect. With comprehensive mea- surements, we found that about 14.5% of 1.3M open DNS resolvers are potentially vulnerable to TsuKing. Real-world controlled eval- uations indicated that attackers can achieve a packet amplification factor of at least 3,700× (DNSChain). We have reported vulner- abilities to affected vendors and provided them with mitigation recommendations. We have received positive responses from 6 vendors, including Unbound, MikroTik, and AliDNS, and 3 CVEs were assigned. Some of them are implementing our recommendations.