[dns-operations] the mathematics of kaminsky spoofing probability

Simon Waters simonw at zynet.net
Mon Aug 4 11:26:03 UTC 2008

On Monday 04 August 2008 11:55:48 Shane Kerr wrote:
> Bert,
> On Mon, 2008-08-04 at 12:13 +0200, bert hubert wrote:
> > In general I think the current spoofing problems may well be ameneable to
> > dynamic spoofing detection and sidestepping behaviour, but mostly on the
> > resolver side of things.
> Yes, this makes sense to me. A fallback to TCP if a certain number of
> bogus packets are detected makes sense to me. It's not a pretty solution
> in terms of load on servers, but if enough resolvers do this then
> spoofing attacks will cease to be interesting. And certainly for any
> particular resolver operator this makes sense.

One can merely ask the question twice over UDP to defeat spoofing, no need to 
switch to TCP. Since spoofing both answers blind would be exceedingly 
unlikely, if you suspect spoofing ask the question twice is a plausible 

The attack will remain interesting whilst vulnerable recursive resolvers 
exist. Since it is a weakness in specific servers. Even if 99% of servers are 
patched, the vulnerability testing tools will still say "server X is 
vulnerable to Y", and the bad guys will appear at your door.

Source port randomisation was a good choice for an intermediate solution 
because it is simple to implement, and was already widely used (so could be 
assumed to work acceptably, unlike TCP where few if any TCP only resolvers 
remain - I vaguely recall Cricket telling me one had existed once), and 
doesn't have any noticable load impact on authoritative servers or unexpected 
DoS weaknesses etc.

I think the assumption numbers are off a little. Anonymous port range on my 
box is much less than the possible range. The time window is probably smaller 
that 100ms on average, since this is one lookup not a full recursive lookup, 
but might be made larger by a DDoS on the authoritative servers. I'm not sure 
about the number of authoritative servers, but I believe BIND develops a 
preference for faster servers, so the distribution of queries may not be even 
between authoritative servers anyway. But it is all back of the envelop 
calculation, so probably close enough for practical purposes. That the 
attacker might be able to influence some of these numbers does concern me.

More information about the dns-operations mailing list