[dns-operations] question for DNS being attacked

Michael Graff mgraff at isc.org
Thu Jun 28 06:29:55 UTC 2012


Yes, but also this.  (expanded from "feel")

It may also make Kaminsky style attacks easier if an attacker can blind an auth server from handing out responses.  If the counter values are real from the RFC style paper, every other response becomes a truncated reply in a flood situation.  This will extend the attack window by  the time it takes to establish a TCP connection and query, or to the time it takes to retransmit the query plus TCP handshake if the blinding is successful.  This assumes the second query works.  But in reality it has the same chance as the first.

Assuming about 100ms for TCP handshake and two seconds for timeout and retry followed by the TCP handshake, This means the window for potential false responses moves to about 1100ms on average. 

If a UDP reply would normally make it to the server in 100 ms, this opens a window 11 times as wide.

This simple math only accounts for one server, however.  Someone with better probabilistic skills than I have, at 1:30am, should do the math with more than one server, and include the attack probably as well.

--Michael

On Jun 28, 2012, at 1:15, pangj <pangj at riseup.net> wrote:

> 
>> Even with the slip values, I still feel this can open a wider window for other forms of attacks against a DNS zone.
> 
> For example, the attacker spools with a legetimate IP and make a number of queries, thus RRL blocks that legetimate IP by mistake?
> 
> -- 
> Email/Jabber/Gtalk: pangj at riseup.net
> Free DNS Hosting with www.DNSbed.com
> 
> 



More information about the dns-operations mailing list