Attacking with Something That Does Not Exist: Proof of Non-Existence Can Exhaust DNS Resolver CPU

Learn about a critical cybersecurity research presentation from WOOT '24 that examines how NSEC3, a proof of non-existence mechanism in DNSSEC, can be exploited to exhaust DNS resolver CPU resources. Explore groundbreaking research that demonstrates a 72x increase in CPU instruction count through the NSEC3-encloser attack, even when resolvers follow RFC5155 recommendations. Discover detailed findings showing how malicious NSEC3 records at 150 per second can cause packet loss rates between 2.7% and 30% for benign DNS requests across different implementations. Gain insights into the first comprehensive analysis of NSEC3 parameters' impact on resolver load during attacks, complete with access to the attack implementation code, zonefile, and evaluation data through the researchers' public GitHub repository.