[dns-operations] DNS Attack over UDP fragmentation
Jaroslav Benkovský
jaroslav.benkovsky at nic.cz
Wed Sep 4 16:02:20 UTC 2013
On 09/04/2013 05:48 PM, Francis Dupont wrote:
> In your previous mail you wrote:
>
>> When these are defined, implemented, and deployed, all DNS messages
>> can be sent with DF=1 or IPv6 fragmentation option can be
>> deprecated.
>
> => if I remember well the attack is for IPv4 (it exchanges the random
> DNS ID and port against the random IP ID which is 32 bit long for IPv6
> (so bigger/safer) and 16 bit long for IPv4).
Read the paper, the authors mention that the recommendation for IP-ID on
IPv6 is a sequential value, so its entropy is meager at best. Also some
implementations on IPv4 use sequential value or per destination counters.
Jaroslav Benkovsky
More information about the dns-operations
mailing list