[dns-operations] the mathematics of kaminsky spoofing probability

bert hubert bert.hubert at netherlabs.nl
Mon Aug 4 12:31:48 UTC 2008

On Mon, Aug 04, 2008 at 12:26:03PM +0100, Simon Waters wrote:

> One can merely ask the question twice over UDP to defeat spoofing, no need to 
> switch to TCP. Since spoofing both answers blind would be exceedingly 

This is non-trivial because auth servers don't always give the same answers
(round robin, load balancing devices, plus many auth servers hiding behind
one IP address, which might not all serve the same data).

But it is indeed one of the better options.

> I think the assumption numbers are off a little. Anonymous port range on my 
> box is much less than the possible range. The time window is probably smaller 

Depends - on smart machines, around 64500 ports are used potentially, even
if not all at the same time. 

> that 100ms on average, since this is one lookup not a full recursive lookup, 
> but might be made larger by a DDoS on the authoritative servers. I'm not sure 

It turns out the latency between auth server and resolver is not much of a
factor in Kaminsky-spoofing - it even falls out of the approximation formula
of the spoofing chance.

> about the number of authoritative servers, but I believe BIND develops a 
> preference for faster servers, so the distribution of queries may not be even 
> between authoritative servers anyway. But it is all back of the envelop 

This has been taken into account in the formula, N is set to 1.


http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

More information about the dns-operations mailing list