[dns-operations] the mathematics of kaminsky spoofing probability
simonw at zynet.net
Mon Aug 4 11:26:03 UTC 2008
On Monday 04 August 2008 11:55:48 Shane Kerr wrote:
> On Mon, 2008-08-04 at 12:13 +0200, bert hubert wrote:
> > In general I think the current spoofing problems may well be ameneable to
> > dynamic spoofing detection and sidestepping behaviour, but mostly on the
> > resolver side of things.
> Yes, this makes sense to me. A fallback to TCP if a certain number of
> bogus packets are detected makes sense to me. It's not a pretty solution
> in terms of load on servers, but if enough resolvers do this then
> spoofing attacks will cease to be interesting. And certainly for any
> particular resolver operator this makes sense.
One can merely ask the question twice over UDP to defeat spoofing, no need to
switch to TCP. Since spoofing both answers blind would be exceedingly
unlikely, if you suspect spoofing ask the question twice is a plausible
The attack will remain interesting whilst vulnerable recursive resolvers
exist. Since it is a weakness in specific servers. Even if 99% of servers are
patched, the vulnerability testing tools will still say "server X is
vulnerable to Y", and the bad guys will appear at your door.
Source port randomisation was a good choice for an intermediate solution
because it is simple to implement, and was already widely used (so could be
assumed to work acceptably, unlike TCP where few if any TCP only resolvers
remain - I vaguely recall Cricket telling me one had existed once), and
doesn't have any noticable load impact on authoritative servers or unexpected
DoS weaknesses etc.
I think the assumption numbers are off a little. Anonymous port range on my
box is much less than the possible range. The time window is probably smaller
that 100ms on average, since this is one lookup not a full recursive lookup,
but might be made larger by a DDoS on the authoritative servers. I'm not sure
about the number of authoritative servers, but I believe BIND develops a
preference for faster servers, so the distribution of queries may not be even
between authoritative servers anyway. But it is all back of the envelop
calculation, so probably close enough for practical purposes. That the
attacker might be able to influence some of these numbers does concern me.
More information about the dns-operations