[dns-operations] DNS Attack over UDP fragmentation
Stephane Bortzmeyer
bortzmeyer at nic.fr
Thu Sep 5 09:10:39 UTC 2013
On Wed, Sep 04, 2013 at 06:02:20PM +0200,
Jaroslav Benkovský <jaroslav.benkovsky at nic.cz> wrote
a message of 23 lines which said:
> the authors mention that the recommendation for IP-ID on IPv6 is a
> sequential value,
IMHO, RFC 2460, section 4.5 is badly wrong, security-wise, because of
that. As Francis said,
<https://datatracker.ietf.org/doc/draft-ietf-6man-predictable-fragment-id/>
addresses that.
Fortunately, actual operating systems do not follow RFC 2460 and have
unpredictable ID. To assess your system, I strongly recommend the
excellent tool SI6 toolkit
<http://www.si6networks.com/tools/ipv6toolkit/>:
> Also some implementations on IPv4 use sequential value or per
> destination counters.
That's perfect. We talk about blind attacks here, where the attacker
spoofs the source IP address and therefore cannot receive the
answers. So, PDC (per-destination counters) are OK.
More information about the dns-operations
mailing list