[dns-operations] Bailiwick stats? Idea for mitigation...
briand at ca.afilias.info
Sun Aug 10 18:40:49 UTC 2008
Paul Vixie wrote:
>> So, what we were thinking of is doing the following: When a cached entry
>> is about to be overwritten with something different, do an additional
>> request. The material in that additional request has to be equal to that
>> 'something different' before the cached entry is overwritten.
> far end load balancers (including those made by cisco) won't always answer
> equally. if you repeat a query N times, then in the end you'll have to
> either pick the last one or a random one.
Here's an observation... very likely load balancers will hash on some
subset tuple of (src IP, dst IP, src port, dst port).
The birthday attack presumes that *some* tuple will match (the same 4 +
But, it doesn't know *which* one.
If the same query is sent twice, using the *same* port, and different
TXID, in short order, it will more than likely be hashed the same way
and be sent to the same physical server.
And that *should* get the same answer, modulo changes to the zone that
occur in the (very short) interval.
This adds 16 bits of entropy. If the resolver is already patched, you
get about 48 bits of entropy - pretty close to the 50 that Paul says we
So, in the case of different answers, redo the last one on the same
port; the last two answers should be the same.
Or even blast out a new pair of queries, deliberately closely spaced in
time, differing only in TXID.
Since the attacker is only guessing on TXIDs, or on ports, but usually
not both, the chances of guessing two in succession are very low.
More information about the dns-operations