CVE-2024-33655 Overview
CVE-2024-33655, known as "DNSBomb," is a protocol-level vulnerability in the DNS specification (RFC 1035 and subsequent updates) that enables remote attackers to cause denial of service through resource exhaustion. The attack exploits legitimate DNS features to accumulate queries over a period of seconds, resulting in a synchronized pulsing burst of responses that can overwhelm target systems. This technique leverages DNS protocol mechanics for traffic amplification, creating a potent Pulsing Denial of Service (PDoS) attack vector.
Critical Impact
Attackers can exploit DNS protocol features to generate amplified traffic bursts, causing service disruption to DNS infrastructure and downstream services without requiring authentication or user interaction.
Affected Products
- NLnet Labs Unbound DNS Resolver
- ISC BIND9 DNS Server
- Technitium DNS Server
- DNS resolver and server implementations following RFC 1035
Discovery Timeline
- May 1, 2024 - Vulnerability reported by Xiang Li from the Network and Information Security Lab of Tsinghua University
- June 6, 2024 - CVE-2024-33655 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2024-33655
Vulnerability Analysis
The DNSBomb attack exploits fundamental timing behaviors in the DNS protocol to create synchronized response bursts. Unlike traditional DNS amplification attacks that rely solely on response size ratios, DNSBomb leverages the temporal accumulation of queries combined with legitimate protocol features such as query aggregation, retry mechanisms, and timeout behaviors.
When DNS resolvers receive multiple queries for the same domain simultaneously, they typically batch these requests to reduce redundant upstream queries. An attacker can abuse this by strategically timing queries across multiple resolver instances, causing them to accumulate requests during their configured timeout windows. When these timeouts expire nearly simultaneously, the resulting response burst creates a concentrated traffic pulse directed at the target—achieving amplification through temporal coordination rather than simple payload multiplication.
The attack is particularly concerning because it uses only legitimate DNS features and valid protocol behaviors, making it difficult to distinguish from normal DNS operations through simple traffic filtering.
Root Cause
The root cause stems from CWE-400 (Uncontrolled Resource Consumption) inherent in the DNS protocol design specified in RFC 1035. The protocol lacks built-in rate limiting mechanisms for accumulated query responses, allowing attackers to manipulate timing windows for query accumulation. DNS resolvers that implement query deduplication and response caching without proper safeguards against synchronized response timing are susceptible to this attack pattern.
Attack Vector
The attack is network-based and requires no privileges or user interaction. Attackers can remotely trigger the vulnerability by:
- Identifying multiple DNS resolver instances that implement query aggregation
- Sending carefully timed queries for the same domain across these resolvers
- Coordinating the timing to ensure queries accumulate within each resolver's timeout window
- Triggering synchronized response bursts directed toward a target IP address
The patch for Unbound introduces several mitigation mechanisms including discard-timeout, wait-limit, and wait-limit-cookie configurations to control query accumulation behavior:
# msec before recursion replies are dropped. The work item continues.
# discard-timeout: 1900
# Max number of replies waiting for recursion per IP address.
# wait-limit: 1000
# Max replies waiting for recursion for IP address with cookie.
# wait-limit-cookie: 10000
# Apart from the default, the wait limit can be set for a netblock.
# wait-limit-netblock: 192.0.2.0/24 50000
# Apart from the default, the wait limit with cookie can be adjusted.
# wait-limit-cookie-netblock: 192.0.2.0/24 50000
Source: GitHub Unbound Commit c3206f456
Detection Methods for CVE-2024-33655
Indicators of Compromise
- Unusual patterns of DNS query accumulation followed by burst responses
- Synchronized spikes in DNS response traffic across multiple resolver instances
- Elevated volume of identical or similar DNS queries from disparate source addresses within short time windows
- DNS server resource exhaustion symptoms without corresponding increase in unique query volume
Detection Strategies
- Monitor DNS query-to-response timing ratios for anomalous accumulation patterns
- Implement flow analysis to detect synchronized burst traffic originating from DNS infrastructure
- Configure alerting on sudden spikes in outbound DNS response bandwidth
- Deploy DNS traffic analysis tools to correlate query timing across multiple resolver instances
Monitoring Recommendations
- Establish baseline metrics for DNS query accumulation and response burst patterns
- Monitor DNS server memory and CPU utilization for resource exhaustion indicators
- Implement logging for queries exceeding configured wait-limit thresholds after patching
- Track DNS response traffic volume with granularity sufficient to detect pulsing patterns
How to Mitigate CVE-2024-33655
Immediate Actions Required
- Update DNS resolver software to versions containing DNSBomb mitigations
- For Unbound: Apply patches and configure discard-timeout, wait-limit, and wait-limit-cookie parameters
- Review and implement rate limiting on DNS infrastructure
- Monitor DNS traffic for unusual accumulation and burst patterns
Patch Information
Security patches addressing CVE-2024-33655 have been released by multiple vendors. For NLnet Labs Unbound, the fix introduces configurable limits on query accumulation and response timing. Detailed patch information is available in the NLnet Labs CVE-2024-33655 advisory and the NLnet Labs Unbound Security Advisories.
ISC has documented their response in the ISC Blog on DNSBomb and tracked the issue in ISC BIND9 Issue #4398. Distribution-specific updates are available through AWS Security Advisory ALAS-2024-1934 and Fedora package announcements.
Workarounds
- Configure aggressive rate limiting on DNS response traffic at network boundaries
- Implement DNS response rate limiting (RRL) features where available
- Deploy DNS traffic scrubbing services for critical infrastructure
- Segment DNS resolver infrastructure to limit blast radius of potential attacks
# Unbound configuration example for DNSBomb mitigation
server:
# Discard recursion replies after timeout (milliseconds)
discard-timeout: 1900
# Maximum waiting replies per IP address
wait-limit: 1000
# Higher limit for clients with valid DNS cookies
wait-limit-cookie: 10000
# Custom limits for trusted netblocks
wait-limit-netblock: 10.0.0.0/8 50000
wait-limit-cookie-netblock: 10.0.0.0/8 100000
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
