CVE-2022-3204 An NRDelegation Attack works by having a malicious delegation with a large number of non-responsive nameservers.
or until a configurable timeout is reached. The NRDelegation Attack can lead to denial of service in a variety of ways: Denial of service can be caused by high CPU usage due to constantly querying an unresponsive nameserver. Depending on the implementation, high CPU usage can be caused by various reasons, such as high cache misses, excessive lookups etc. Denial of service can also be caused by high memory usage. The length of the attack depends on how long the unresponsive nameserver provides no answer. Unbound is vulnerable to the NRDelegation Attack if Open recursion limits are set to a value higher than the configured timeout. Unbound is not vulnerable if hard limits are set.
How does the NRDelegation Attack work?
The NRDelegation Attack is a DoS attack whereby an attacker sends recursive queries to an unresponsive nameserver. The NRDelegation Attack can be used as a way of causing a DoS by making the nameserver unavailable, or it can be combined with other attacks such as the SYN attack to make the server unusable.
NRD Hard Limit
The NRD hard limit is the maximum number of recursive delegation queries that Unbound will accept before returning an error,The default value of this limit is 25.
NRD Pre-Auth DoS
Named-based resolution (NRD) is a mechanism for finding a server authoritative for a particular domain. It is implemented by delegating the responsibility of domains not in the root zone to an unbound nameserver with an NRD record that contains the fully qualified domain name (FQDN) of the desired nameserver. If a server is authoritative for an address, it will respond to all queries sent to it and forward them to whatever other servers are needed. This attack occurs when you configure your system so that Unbound will try to obtain an answer from some servers before asking it's configured servers.
NRRecursion Attack
The NRDelegation Attack can lead to denial of service in a variety of ways: Denial of service can be caused by high CPU usage due to constantly querying an unresponsive nameserver. Depending on the implementation, high CPU usage can be caused by various reasons, such as high cache misses, excessive lookups etc. Denial of service can also be caused by high memory usage. The length of the attack depends on how long the unresponsive nameserver provides no answer. Unbound is vulnerable to the NRDelegation Attack if Open recursion limits are set to a value higher than the configured timeout. Unbound is not vulnerable if hard limits are set.
Timeline
Published on: 09/26/2022 14:15:00 UTC
Last modified on: 09/28/2022 19:32:00 UTC