Unbound : Security vulnerability ???

[kernol]

Yet to be confirmed - analysis is ongoing - but at first blush it seems that my unbound DNS took a hit late yesterday evening and well into the night. No functional internet connectivity this morning - even though the router was connected to the net. Unbound was in a tailspin - sucking up virtually 100% of CPU in both cores - with really short breaks [seconds] to catch a breath before spinning up a storm!

Suspect this - https://www.securityweek.com/nxnsattack-new-dns-vulnerability-allows-big-ddos-attacks but have yet to confirm.

Have pulled the affected DSL-AC68U Router and replaced it with a spare [but not installed Unbound on it].
The poisoned DSL-AC68U will be properly analysed by IT folk far more experienced than I am.
Will report back in due course.

In the meantime - anyone know how better to protect Unbound? Had been running Trend Protection plus Skynet Firewall - but Unbound still hammered! There was no WAN access for http/s or SSH or anything else from outside.

 

[coxhaus]

What about changing back to forwarding and forward your DNS to QUAD9, 9.9.9.9 and let QUAD9 keep up with all the latest DNS changes? This is what I do. It is less work for me. Besides I am retired.

 

[dave14305]

What version of Unbound are you running? This was fixed in Unbound 1.10.1 released in Entware last week. But it would suggest a client on your LAN is hammering Unbound, unless you had unbound open to the WAN interface.

 

[QuikSilver]

Yet to be confirmed - analysis is ongoing - but at first blush it seems that my unbound DNS took a hit late yesterday evening and well into the night. No functional internet connectivity this morning - even though the router was connected to the net. Unbound was in a tailspin - sucking up virtually 100% of CPU in both cores - with really short breaks [seconds] to catch a breath before spinning up a storm!

Suspect this - https://www.securityweek.com/nxnsattack-new-dns-vulnerability-allows-big-ddos-attacks but have yet to confirm.

Have pulled the affected DSL-AC68U Router and replaced it with a spare [but not installed Unbound on it].
The poisoned DSL-AC68U will be properly analysed by IT folk far more experienced than I am.
Will report back in due course.

In the meantime - anyone know how better to protect Unbound? Had been running Trend Protection plus Skynet Firewall - but Unbound still hammered! There was no WAN access for http/s or SSH or anything else from outside.

To go with what @dave14305 said...Either you need to update your unbound and/or figure out which local client is going crazy.

https://nlnetlabs.nl/projects/unbound/download/#unbound-1-10-1

Bug Fixes

• CVE-2020-12662 Unbound can be tricked into amplifying an incoming query into a large number of queries directed to a target.
• CVE-2020-12663 Malformed answers from upstream name servers can be used to make Unbound unresponsive.

 

[kernol]

What version of Unbound are you running? This was fixed in Unbound 1.10.1 released in Entware last week. But it would suggest a client on your LAN is hammering Unbound, unless you had unbound open to the WAN interface.

Hi Dave ... great example of how important it is to constantly update everything. In my case - this particular site had not been updated to Unbound 1.10.1 ... which was in any event released to us only within the last few days [late last week as I recall]. nevertheless ... quicker action on my part could have avoided - so my bad!

Trouble is - others need to pull finger and update ...

 

[kernol]

To go with what @dave14305 said...Either you need to update your unbound and/or figure out which local client is going crazy.

https://nlnetlabs.nl/projects/unbound/download/#unbound-1-10-1

Bug Fixes

• CVE-2020-12662 Unbound can be tricked into amplifying an incoming query into a large number of queries directed to a target.
• CVE-2020-12663 Malformed answers from upstream name servers can be used to make Unbound unresponsive.

All connectivity with replaced DSL-AC68U fully fine - but using Diversion and DNSmasq with same Quad9 external DNS as before. No sign of a compromised client on the inside. Internal clients all sit behind Sophos XG115 firewall appliance - with Asus Router on the public side.

 

[tomsk]

The paper is an interesting , if weighty read .... good insight into how recursive resolvers work besides describing the vulnerability....

 

[netware5]

Hm-m-m I am wondering if the issue described in this thread https://www.snbforums.com/threads/cant-login-to-gui.64631/ and my issues described in this post https://www.snbforums.com/threads/cant-login-to-gui.64631/#post-593164 has been caused by

CVE-2020-12663 Malformed answers from upstream name servers can be used to make Unbound unresponsive.

??? It seems to be that many upstream servers have been affected, so this might affected my Unbound server even it was not open to the WAN. The symptoms observed are leading me to that root cause .... Since I've updated the Unbound on June 18th I never experienced these problems anymore.

 

[RMerlin]

If your Unbound does recursive resolution, then all one needs to DDoS you is to have you visit a web page that tries to resolve a domain which uses a malicious authoritative nameserver. Resolving that domain would allow them to send your Unbound a malicious answer.

 

[netware5]

If your Unbound does recursive resolution, then all one needs to DDoS you is to have you visit a web page that tries to resolve a domain which uses a malicious authoritative nameserver. Resolving that domain would allow them to send your Unbound a malicious answer.

That's exactly I wanted to say. So probably all my problems were caused by widespread attack affected many upstream servers.

 

[kernol]

If your Unbound does recursive resolution, then all one needs to DDoS you is to have you visit a web page that tries to resolve a domain which uses a malicious authoritative nameserver. Resolving that domain would allow them to send your Unbound a malicious answer.

Pretty sure that is precisely what happened to us - but we struggling to find when and how the outbound request to resolve the domain you refer to was made. Skynet had a great time blocking loads of spurious traffic - will take some time to analyse ... but we in no hurry as the affected router and all logs are "quarantined" for analysis .

 

[coxhaus]

You may want to re-do the PC acting up if malware was loaded on it. Once malware is loaded it is hard to undo.

 

[kernol]

You may want to re-do the PC acting up if malware was loaded on it. Once malware is loaded it is hard to undo.

Fully agree - but so far have not found any internal PC / Server to be infected. The only "client" that our Router can "see" is a Sophos XG115 Firewall hardware appliance with latest security patterns etc. We have limited Port Forwards that primarily get directed to Reverse Proxy [running under pfSense] for any internal web services we use from outside. No direct access to any web services SSH Telnet FTP or other from outside in.

Anyway investigations continue - but it seems the main purpose behind these attacks are to flood the net and bring down connectivity - which it certainly succeeded in doing.

 

[coxhaus]

If you got a malware DNS page that pointed to a fake web page then your Sophos may not pick it up and the PC could get infected.

Using QUAD9 will help a bad PC as hopefully it breaks the bad domain connection by not resolving it.

 

[Milan]

will suricata catch this attack ?

 

[kernol]

If you got a malware DNS page that pointed to a fake web page then your Sophos may not pick it up and the PC could get infected.

Using QUAD9 will help a bad PC as hopefully it breaks the bad domain connection by not resolving it.

Thanks for that ... I had forgotten that my standard "habit" of using Quad9 as the routers DNS and via DNSFilter to Router for all clients [with DoT enabled] ... went straight out the window with Unbound installed ....

Unbound sure makes for fast response times - but the potential security hit needs to be kept in mind I guess.

 

[tomsk]

Thanks for that ... I had forgotten that my standard "habit" of using Quad9 as the routers DNS and via DNSFilter to Router for all clients [with DoT enabled] ... went straight out the window with Unbound installed ....

Unbound sure makes for fast response times - but the potential security hit needs to be kept in mind I guess.

I guess the trade off is your privacy as the purpose of using unbound in the first place is to do your own lookups with the root servers to prevent companies like Quad9 profiling your habits.
One would hope that infected clients connecting to malicious name servers would be prevented by the many layers of protection already on the router such as aiprotection, and downloaded blocklists.

 

[kernol]

I guess the trade off is your privacy as the purpose of using unbound in the first place is to do your own lookups with the root servers to prevent companies like Quad9 profiling your habits.
One would hope that infected clients connecting to malicious name servers would be prevented by the many layers of protection already on the router such as aiprotection, and downloaded blocklists.

Indeed - pretty much what AiProtect and Skynet did ... which seem to have prevented any further compromises to clients.
We simply lost usable connectivity during the attack - the router remained connected - but outbound traffic got nowhere and router's resources were exhausted by the onslaught.

 

[coxhaus]

I guess the trade off is your privacy as the purpose of using unbound in the first place is to do your own lookups with the root servers to prevent companies like Quad9 profiling your habits.
One would hope that infected clients connecting to malicious name servers would be prevented by the many layers of protection already on the router such as aiprotection, and downloaded blocklists.

Nothing can protect you from a bad DNS.