TsuKing is a new DNS amplification attack. Instead of exploiting individual DNS resolvers independently to achieve an amplification effect, TsuKing deftly coordinates numerous vulnerable DNS resolvers and crafted queries together to form potent DoS amplifiers.

We demonstrate that with TsuKing, an initial small amplification factor can increase exponentially through the internal layers of coordinated amplifiers, resulting in an extremely powerful amplification attack. TsuKing has three variants, including DNSRetry, DNSChain, and DNSLoop, all of which exploit a suite of inconsistent DNS implementations to achieve an enormous amplification effect.

We conducted comprehensive measurements and evaluations to demonstrate the feasibility of TsuKing. In particular, we found that about 11.7% of 1.3M open DNS resolvers are potentially vulnerable to be exploited by TsuKing. Real-world controlled evaluations indicated that adversaries can achieve a packet amplification factor of at least 3,700× (DNSChain attack), fairly larger than previous attacks. Our local small-scale experiments also brought 1,238Mb/s of attack traffic on the target.

We have reported the above vulnerabilities to all relevant vendors and also provided them with our recommendations for mitigation. We have received positive responses from 6 vendors, including Unbound, MikroTik, and AliDNS, and 3 new CVEs have been assigned for TsuKing. Some of the vendors are actively implementing our recommendations.