[dns-operations] DNS Attack over UDP fragmentation

Colm MacCárthaigh colm at stdlib.net
Wed Sep 4 15:25:41 UTC 2013

I don't think there's any requirement to fragment exactly at the MTU/MSS
boundary. It's ok to fragment at a lower point, so there's an opportunity
for additional entropy by randomising the point of fragmentation on a
datagram by datagram basis. If the spoofer doesn't know the point of
fragmentation then it's hard for the payload to make sense.  It'd be
interesting to work out what the total entropy is by using that along with
truly random IP IDs. It also seems prudent for clients to validate that the
IP TTL of all fragments in a datagram are the same.

Neither of those mitigations are easy for everyone, but they may be helpful
for some. Obviously there's TC=1 too.

On Wed, Sep 4, 2013 at 6:08 AM, Ondřej Surý <ondrej.sury at nic.cz> wrote:

> Hi all,
> for all those who haven't been on saag WG at IETF 88...
> Amir Herzbert and Haya Shulman has presented a quite interesting attack on
> UDP fragmentation that allows Kaminsky-style attacks to be real again.
> The saag presentation is here:
> http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf
> The paper describing the attack is here:
> http://arxiv.org/pdf/1205.4011v1.pdf
> More Haya Shulman's publications can be found here:
> https://sites.google.com/site/hayashulman/publications
> And some papers are also available from Google Scholar:
> http://scholar.google.com/scholar?hl=en&q=Amir+Herzberg%2C+Haya+Shulman+++dnssec&btnG=&as_sdt=1%2C5&as_sdtp=
> We gave it some thoughts here at CZ.NIC Labs and we think that the threat
> is real and we are now trying to write a PoC code to prove the theoretical
> concept.
> So what are the views of other people on this list?
> Ondrej
> --
>  Ondřej Surý -- Chief Science Officer
>  -------------------------------------------
>  CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
>  Americka 23, 120 00 Praha 2, Czech Republic
>  mailto:ondrej.sury at nic.cz    http://nic.cz/
>  tel:+420.222745110       fax:+420.222745112
>  -------------------------------------------
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130904/59588c11/attachment.html>

More information about the dns-operations mailing list