[dns-operations] DNS Attack over UDP fragmentation

Jelte Jansen jelte.jansen at sidn.nl
Wed Sep 4 14:56:39 UTC 2013


On 09/04/2013 04:50 PM, Ondřej Surý wrote:
> BTW just to complete my question in first email - is there a agreement that this is serious and needs to be addressed?
> 

Just had a quick read and here are some random thoughts (staying out of
solution space for now):

Fragmentation has long been known to be a security hazard, so I
certainly think this is plausible. The initial requirements to pull this
off seem a bit more than for the original attack (however once they are
there it is easier). Funny how having DNSSEC but not validating it makes
it worse (and something to remember when turning on NTA). Also reminds
me to look at the tcp-only thing again.

I'd love to see a PoC and try it out here.

Jelte



More information about the dns-operations mailing list