07 May 2021
Story image

InternetNZ discloses vulnerability that can be used to carry out cyberattacks

By Shannon Williams

A new vulnerability against authoritative DNS servers has been disclosed by InternetNZ. 

It includes servers run by top-level domain (TLD) operators, including .nz. InternetNZ says the vulnerability could be exploited to carry out Denial-of-Service (DoS) attacks across the world.

InternetNZ is a a non-profit organisation and is the home and guardian for the .nz domain, Its mission is to "create an internet for all New Zealanders that is safe, accessible and a place for good".

It is role involved in a lot of internet-related work throughout New Zealand, funded by the sales of .nz domain names, including policy work on internet issues faced in New Zealand, providing community grants to support Internet-related projects, conducting research to highlight the state of the internet, and hHosting events, such as NetHui, to bring together the internet community.

The vulnerability, called TsuNAME, was noticed in February 2020 in the .nz registry. InternetNZ worked with the global community to have it fixed.

According to InternetNZ, TsuNAME requires three things to be exploited: cyclic dependent NS records, vulnerable resolvers, and user queries only to start/drive the process.

In February 2020, two .nz domains were unintentionally misconfigured with cyclic dependencies, which resulted in a 50% surge in DNS traffic for all .nz infrastructure.

Later, this phenomenon was studied and replicated by an international group of researchers from InternetNZ, SIDN Labs (InternetNZ's counterpart from the Netherlands, the organisation running .nl), and the University of Southern California Information Science Institute (USC/ISI).

Further tests showed that conditions for an attack event are easy to execute, and the consequences are serious.

"Google Public DNS was the main affected party by this vulnerability," says InternetNZ's chief scientist Sebastian Castro.

"They received a private responsible disclosure from our group in October 2020 and have repaired their code since then," he says. 

"We also reached out to Cisco, whose Public DNS was affected as well, and it is now fixed," Castro adds.

During February 2021, the group reached out privately to the DNS and registry community, including other country code top-level domains (ccTLDs), to make them aware of the vulnerability and to be prepared.

The TsuNAME group developed a security advisory paper and an open-source detection tool called Cycle Hunter, and TLDs all around the world have been using it to detect and remove cyclic dependencies.

"This underground work of months shows our organisations commitment to a better internet, where issues that can affect others are identified and fixed," Castro says. 

"Our work is not finished yet."

Recent stories
More stories