[dns-operations] question for DNS being attacked

Michael Graff mgraff at isc.org
Thu Jun 28 17:13:34 UTC 2012


On Jun 28, 2012, at 9:06 AM, Vernon Schryver wrote:
> 
> That conclusion does not hold, because it does not define the narrow
> window alternative.  11 times as wide as what?

With a slip factor of 2, every other packet will be dropped, and the other packets returned will have the truncated bit set.  If this is incorrect, please explain what it does do.

This translates to a "normal" truncated response 50% of the time, and a timeout the other 50%.  Ignoring the penalty BIND 9 and other servers are likely to assign to this misbehaving server, the timeout keeps the "Waiting for a response" window open much, much longer.  This timeout is largely server-dependent, and some may wait multiple seconds.  This leaves the window open for a spoofing flood attack to sneak in.

While I commend you and Paul on the RLL work you've made, I think it is improper to not mention this in the documents you write.  It may be "not a big deal" to the administrator of the zone, but it is up to them to decide that.  Some may prefer to be a flooding source rather than make their zone more prone to spoofing, even if the actual odds are low.  The biggest problem here is that the zone publisher's goals of not being spoofable are entirely dependent on the resolver asking the questions, without DNSSEC in the mix.

--Michael

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120628/54143b94/attachment.html>


More information about the dns-operations mailing list