[dns-operations] DNS Attack over UDP fragmentation

Haya Shulman haya.shulman at gmail.com
Fri Sep 6 01:02:59 UTC 2013

I hope you do not mind me joining in.

FYI, (a short) updated version of the paper is enclosed.

I do not plan to release a PoC, but I will be happy to discuss questions
and challenges pertaining to the implementation/evaluation. The results
reported in the paper are based on evaluation of attacks against responses
from real name servers, and (up-to-date) Bind and Unbound resolvers that I
ran in a lab.
 We work on `some measurements` that should clarify the severity and
applicability of the attack. However, the main problem is lack of time, and
all these travels in tandem with hotels' networks do not speed it up. So
unfortunately, it is taking me longer than we were hoping for.

Please notice that I am not urging anyone to patch :-) and I do not promote
any company, and do not have the required time to visit vendors around the
globe and demonstrate the attack.
We disclosed the work to raise awareness to the vulnerability, and the
paper is available. I think you _should_ patch and not wait till the
exploit is out there.

IMHO DNSSEC is a long term solution and I think that more research is
required to address different obstacles towards adoption thereof, such as
problems with large UDP packets, fragmentation, failures due to fall back
to TCP, lack of motivation due to interoperability problems and abuse for
DDoS, and more... Here is (a bit outdated) report on DNSSEC deployment
challenges study
we plan to upload an updated version soon.

Merely deploying DNSSEC as the only solution may have an adverse impact on
DNS functionaliy, and functionality and availability of other applications
that depend on DNS.
I would recommend short term patched (that we recommend in the paper) in
the meanwhile, and addressing the deployment challenges of DNSSEC.

BTW, next week I am in London (presenting our new cache poisoning work at
ESORICS), so, if anyone is in the neighbourhood and wants to chat - feel
free to drop me a line. The work at ESORICS shows new techniques to
deanonymise and cache poison resolvers behind patched upstream resolvers.
Following [Kaminsky2008] one of the recommendations of the experts was
either to patch or to configure a patched upstream resolver (most notably
recommending OpenDNS). BTW, we checked and found many networks to be
vulnerable to these new attacks against resolver-behind-upstream. So if you
rely only on a patched upstream for your resolver's security, you may want
to consider adopting additional mechanisms...

Best Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130906/748b66ed/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cns2013-formatted.pdf
Type: application/pdf
Size: 744717 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130906/748b66ed/attachment.pdf>

More information about the dns-operations mailing list