[dns-operations] DNS Attack over UDP fragmentation

ondrej.sury at nic.cz ondrej.sury at nic.cz
Wed Sep 4 15:40:53 UTC 2013


On 2013-09-04 17:25, Colm MacCárthaigh wrote:
> I don't think there's any requirement to fragment exactly at the
> MTU/MSS boundary. It's ok to fragment at a lower point, so there's an
> opportunity for additional entropy by randomising the point of
> fragmentation on a datagram by datagram basis. If the spoofer doesn't
> know the point of fragmentation then it's hard for the payload to make
> sense.

That's clever idea how to mitigate that, but it needs to be implemented 
by the IP stack.

Maybe, you can mangle incoming ICMP packets and randomly change their 
value in the interval <N-const,N), so it could be implemented even 
without native support in the kernel.

> It'd be interesting to work out what the total entropy is by
> using that along with truly random IP IDs.

It's only 16-bit and it's not much since you can preload the second 
fragments even before the query is sent.

> It also seems prudent for clients to validate that the IP TTL of all 
> fragments in a datagram are
> the same.

That's also only visible on IP level, not on application level, and the 
information is useless because you don't have any information about 
network topology at the defragmentation point.  Different IP TTLs for 
fragments are not likely, but still valid.

> Neither of those mitigations are easy for everyone, but they may be
> helpful for some. Obviously there's TC=1 too. 
> 
> On Wed, Sep 4, 2013 at 6:08 AM, Ondřej Surý <ondrej.sury at nic.cz>
> wrote:
> 
>> Hi all,
>> 
>> for all those who haven't been on saag WG at IETF 88...
>> 
>> Amir Herzbert and Haya Shulman has presented a quite interesting
>> attack on UDP fragmentation that allows Kaminsky-style attacks to be
>> real again.
>> 
>> The saag presentation is here:
>> http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf [1]
>> 
>> The paper describing the attack is here:
>> http://arxiv.org/pdf/1205.4011v1.pdf [2]
>> 
>> More Haya Shulman's publications can be found here:
>> https://sites.google.com/site/hayashulman/publications [3]
>> 
>> And some papers are also available from Google Scholar:
>> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> n&q=Amir+Herzberg%2C+Haya+Shulman+++dnssec&btnG=&as_sdt=1%2C5&as_sdtp=
>> [4]
>> 
>> We gave it some thoughts here at CZ.NIC Labs and we think that the
>> threat is real and we are now trying to write a PoC code to prove
>> the theoretical concept.
>> 
>> So what are the views of other people on this list?
>> 
>> Ondrej
>> --
>>  Ondřej Surý -- Chief Science Officer
>>  -------------------------------------------
>>  CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
>>  Americka 23, 120 00 Praha 2, Czech Republic
>>  mailto:ondrej.sury at nic.cz    http://nic.cz/ [5]
>>  tel:+420.222745110 [6]       fax:+420.222745112 [7]
>>  -------------------------------------------
>> 
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs [8]
> 
> --
> Colm
> 
> Links:
> ------
> [1] http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf
> [2] http://arxiv.org/pdf/1205.4011v1.pdf
> [3] https://sites.google.com/site/hayashulman/publications
> [4]
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> zberg%2C+Haya+Shulman+++dnssec&btnG=&as_sdt=1%2C5&as_sdtp=
> [5] http://nic.cz/
> [6] tel:%2B420.222745110
> [7] tel:%2B420.222745112
> [8] https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



More information about the dns-operations mailing list