[dns-operations] summary of recent vulnerabilities in DNS security.

Haya Shulman haya.shulman at gmail.com
Wed Oct 23 19:46:59 UTC 2013


Nice work Brian and the CZ folks!

Although you and me talked about this at CNS, but it was too stressed in
time, so I have few questions:
1. Which resolvers (and versions) did you run the attack against?
2. Which responses' type (and records) did you try to poison? e.g.,
referral, answer, NXDOMAIN, NODATA?
3. Did you try spoofing the glue in responses to DNSSEC validating
resolvers?

On Wed, Oct 23, 2013 at 7:24 PM, Dickson, Brian <bdickson at verisign.com>wrote:

>  Paul Vixie wrote:
>
>
>   Haya Shulman wrote:
>
>
>
>> > > so if i add "first weaponized by Haya Shulman" this would settle the
>> > > matter?
>> >
>> > Thank you, can you please use Amir Herzberg and Haya Shulman (I
>> > collaborated on this attack together with my phd advisor Amir Herzberg).
>>
>>  it shall be done.
>>
>
>  Thank you.
>
>
> upon deeper consideration, "weaponized" is the wrong verb, unless you have
> released your software. i can say "first published" if that will serve your
> purpose.
>
>
>  Sorry to join the discussion late.
>
>  FYI, I have been working on a proof-of-concept weaponized implementation
> of a fragmentation-based attack.
> (My work is limited only to fragmentation, as I see that as the issue with
> the largest attack surface and which suffers from potential long-tail
> problems in mitigations.)
>
>  This work was inspired by Haya/Amir's work, although it did abstract
> things and go back to first principles on what to do and how to do it. The
> PoC code is a clean-room implementation.
>
>  I am also loosely collaborating with the CZ folks (Ondřej Surý et al)
> who are also doing their own independent PoC.
>
>  There was a presentation of this at the latest DNS-OARC meeting, as well
> as at the last RIPE meeting.
>
>  We will, of course, be keeping the code private, and will avoid
> releasing too many details.
>
>  When we have specific concrete results, we will share them in a
> responsible fashion.
>
>  Regardless of the specifics, the general result should be understood:
> the unsigned aspects of delegations, creates an exposure to poisoning which
> allows MitM, which facilitates a host of problems to anything which is not
> totally DNSSEC-signed and DNSSEC-validated.
>
>  Brian Dickson
>
>  P.S. Credit for "weaponized" even if the code is shared with strict
> controls, rather than released, would be welcome, at the appropriate time.
>
>
>
Can you please refer me to a summary/report of your work?​ I will add
reference to it in a journal version of our paper.
BTW, I am not sure you can release the code, IMHO you should check this
with Peter Eckersley from the EFF (cc-ed).



-- 

Best Regards,

Haya Shulman

Technische Universität Darmstadt

FB Informatik/EC SPRIDE

Mornewegstr. 30

64293 Darmstadt

Tel. +49 6151 16-75540

www.ec-spride.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131023/be9bf992/attachment.html>


More information about the dns-operations mailing list