The core building block of the NXNSAttack is the amplifier, which is composed of three components: two attacker components and one innocent recursive resolver. The two attacker’s components are a client and an authoritative name-server. Essentially the attacker issues many requests for sub-domains of domains authorized by its own authoritative server (step 1 above). Each such request is crafted to have a different sub-domain to make sure it is not in the resolver’s cache, thus forcing the resolver to communicate with the attacker’s authoritative server to resolve the queried subdomains (step 2). The attacker authoritative name-server then returns an NS referral response with n name-server names but without their glue records (step 3), i.e., without their associated IP addresses, forcing the resolver to start a resolution query for each one of the name-server names in the response, whether these name-servers are in-bailiwick or out-of-bailiwick because it does not have their IP addresses in its cache (step 4). The attacker’s authoritative referral response issues n new and different delegated name-servers each time it receives a query for a sub-domain from the recursive resolver.

Illustration of the double amplification attack using self delegations in the first referral response. This attack variant (c) reaches a firepower of 19,980.

Here the attacker uses the self delegations technique to increase the number of concurrent referrals to the ROOT name-servers. In our empirical tests, the victim processes up to 81,428 packets (14,126,945 bytes) for each client request (and corresponding 75 referral packets) that the attacker generates (it is “only” 81,428 because many were lost).