[dns-operations] the mathematics of kaminsky spoofing probability

Otmar Lendl ol at bofh.priv.at
Mon Aug 4 13:28:49 UTC 2008

On 2008/08/04 12:08, bert hubert <bert.hubert at netherlabs.nl> wrote:
> In general I think the current spoofing problems may well be ameneable to
> dynamic spoofing detection and sidestepping behaviour, but mostly on the
> resolver side of things.

That's my thinking, too.

Pre-Kaminski, I wrote
which, of course, doesn't help for the new style attacks.

Over the last days, I have been thinking about what can be done
nevertheless, and my current idea is the following:

Whenever we get a forged answer (qID, port, ...) we process the packet
as usual, but instead of sending the reply and changing the cache,
we just put a flag on all cached entries which would have been changed
by this reply. 

Whenever a matching answer is received, it cannot change any cache
entries where this flat is set.

This isn't 100% effective (e.g. the target of the attack must be already
in the cache to be protected), it should help quite a bit.

-=-  Otmar Lendl  --  ol at bofh.priv.at  -=-

More information about the dns-operations mailing list