[dns-operations] DNS Attack over UDP fragmentation

ondrej.sury at nic.cz ondrej.sury at nic.cz
Wed Sep 4 16:09:07 UTC 2013


On 2013-09-04 17:38, Mike Hoskins (michoski) wrote:
> -----Original Message-----
> 
> From: Dan York <york at isoc.org>
> Date: Wednesday, September 4, 2013 11:03 AM
> To: Ondřej Surý <ondrej.sury at nic.cz>, DNS Operations
> <dns-operations at lists.dns-oarc.net>
> Subject: Re: [dns-operations] DNS Attack over UDP fragmentation
> 
>> Ondrej,
>> 
>> On 9/4/13 9:08 AM, "Ondřej Surý" <ondrej.sury at nic.cz> wrote:
>> 
>>> We gave it some thoughts here at CZ.NIC Labs and we think that the 
>>> threat
>>> is real and we are now trying to write a PoC code to prove the
>>> theoretical concept.
>>> 
>>> So what are the views of other people on this list?
>> 
>> I attended the SAAG session, listened to the presentation and read 
>> through
>> the materials with great interest. I left, though, not really sure I 
>> could
>> understand how real of a threat this is in actual deployments.   I 
>> would
>> certainly welcome PoC code that could help shed light on the severity 
>> of
>> the issue.
> 
> Interesting indeed.  In reality, everyone should be thinking hard about
> remediation at all levels right now (protocol enhancements are great, 
> but
> take time you won't have once a PoC exists).  If the vector has been
> described, it's safe to assume people with more time and money are 
> already
> working on the PoC, and won't be sharing it.

I had the same feeling as Dan when I saw this presentation.  It fell 
into
too-good-to-be-true category, and I thought that if the described attack
was true then everybody should be panicking right now.  So it took me 
some
time and conversations with various people to assess the severity of the
attack.

So, yes, there might be already PoC in blackhat community, but 
fortunatelly
it's still simpler to use the infected computers than clever attacks on 
the
infrastructure.

O.




More information about the dns-operations mailing list