[dns-operations] DNS Attack over UDP fragmentation

Colm MacCárthaigh colm at stdlib.net
Wed Sep 4 16:18:05 UTC 2013

On Wed, Sep 4, 2013 at 8:40 AM, <ondrej.sury at nic.cz> wrote:

>> It'd be interesting to work out what the total entropy is by
>> using that along with truly random IP IDs.
> It's only 16-bit and it's not much since you can preload the second
> fragments even before the query is sent.

I think with variable point fragmentation you can probably squeeze out an
additional 8 or 9 bits of entropy if you really push it. Comparable to the
0x20 hack :)

>  It also seems prudent for clients to validate that the IP TTL of all
>> fragments in a datagram are
>> the same.
> That's also only visible on IP level, not on application level, and the
> information is useless because you don't have any information about network
> topology at the defragmentation point.  Different IP TTLs for fragments are
> not likely, but still valid.

They are valid -  fragments may take different paths (and multi-fragment
UDP datagrams are often subject to inconsistent ECMP flow-hashing due to
the absence of the the ports in the second and subsequent fragments) but
different TTLs seem to be vanishingly rare on the wire. It looks like even
when there is ECMP that there is an equal number of hops.

A smart recipient could fall back to TCP too ; so the "suspiciousness" of
the mis-matched TTLs is pretty valuable signal.

Many of the larger operators now deal directly in packets, rather than
sockets, so I wouldn't be surprised if mitigations like the above were
viable for them.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130904/13946998/attachment.html>

More information about the dns-operations mailing list