In October 2016, a cyberattack temporarily took sites such as Amazon, Reddit and Spotify offline for millions of people along America’s East Coast.
According to a new study by researchers at Tel Aviv University and the Interdisciplinary Center (IDC) of Herzliya, a weakness in the web’s Domain Name System (DNS) could have brought about a much larger attack.
In their study, which will be presented at the USENIX Security Conference in August, researchers provide new details of a technique that could have allowed a relatively small number of computers to carry out Distributed Denial of Service (DDoS) attacks on a gigantic scale, overwhelming targets with false requests for information until they were thrown offline.
“The DNS is the essential Internet directory,” Anat Bremler-Barr, vice dean of IDC’s Efi Arazi School of Computer Science, said in a statement. “In fact, without the DNS, the Internet cannot function. As part of a study of various aspects of the DNS, we discovered to our surprise a very serious breach that could attack the DNS and disable large portions of the network.”
In February, the researchers told a broad group of companies, including Google, Microsoft and Amazon, of their findings. Those companies have since updated their software to address the problem, the researchers said.
The new threatening technique, which the researchers have called an “NXNSAttack” (Nonexistent Name Server Attack), takes advantage of vulnerabilities in common DNS software. DNS takes the domain names people click or type into the address bar of their browser into IP addresses; however, an NXNSAttack can cause a DNS server to perform hundreds of thousands of requests in response to just one hacker’s request.
“The attack in 2016 used over 1M [1 million] IoT [Internet of Things] devices, whereas here we see the same impact with only a few hundred,” Yehuda Afek, of Tel Aviv University’s Blavatnik School of Computer Science, said in a statement. “We are talking about a major amplification, a major cyberattack that could disable critical parts of the Internet.”
Afek said an attack like the one that has now been prevented could have been more than “800 times more powerful” than the 2016 incident.