[dns-operations] the mathematics of kaminsky spoofing probability
Otmar Lendl
ol at bofh.priv.at
Mon Aug 4 13:28:49 UTC 2008
On 2008/08/04 12:08, bert hubert <bert.hubert at netherlabs.nl> wrote:
>
> In general I think the current spoofing problems may well be ameneable to
> dynamic spoofing detection and sidestepping behaviour, but mostly on the
> resolver side of things.
That's my thinking, too.
Pre-Kaminski, I wrote
http://www.ops.ietf.org/lists/namedroppers/namedroppers.2008/msg00640.html
which, of course, doesn't help for the new style attacks.
Over the last days, I have been thinking about what can be done
nevertheless, and my current idea is the following:
Whenever we get a forged answer (qID, port, ...) we process the packet
as usual, but instead of sending the reply and changing the cache,
we just put a flag on all cached entries which would have been changed
by this reply.
Whenever a matching answer is received, it cannot change any cache
entries where this flat is set.
This isn't 100% effective (e.g. the target of the attack must be already
in the cache to be protected), it should help quite a bit.
/ol
--
-=- Otmar Lendl -- ol at bofh.priv.at -=-
More information about the dns-operations
mailing list