[dns-operations] the mathematics of kaminsky spoofing probability

Shane Kerr shane at ca.afilias.info
Mon Aug 4 07:33:59 UTC 2008


On Fri, 2008-08-01 at 15:52 -0700, Barry Raveendran Greene wrote:
> So, monitor for ICMP port unreachables leaving your organization. That would
> let you know that someone is trying to poison your asset. Monitor ICMP Port
> unreachables coming into to your authority servers. That will tell you that
> someone is trying to poison your DNS identity. 

And then what?

What can the operator of an authoritative server do if it detects
someone trying to spoof it? I am not being cheeky, rather I am genuinely
curious what options are available.

For example, if a news site like cnn.com detects that someone is
attempting to poison cache entries for cnn.com, what can it do? If
someone sends me a link to read there, and someone tries to spoof my 
cache, how can CNN help me, even if it detects the attack?

The only real outcome that I see is to highlight the seriousness of the
problem. (Or possibly to show that it is not very serious.)


More information about the dns-operations mailing list