[dns-operations] DNSSEC and Re: DNS Attack over UDP fragmentation

Edward Lewis ed.lewis at neustar.biz
Fri Sep 6 13:32:07 UTC 2013

> On Thu, Sep 05, 2013 at 02:54:18PM -0700,
> Paul Vixie <paul at redbarn.org> wrote the part "i do not understand this statement.":
>> Florian Weimer wrote:
>>> Because DNSSEC does not prevent cache poisoning, it only detects it.
>> i do not understand this statement.

On Sep 6, 2013, at 3:49, Stephane Bortzmeyer wrote in response to that exchange:

> The way I understand it: with Kaminsky and/or Shulman, you can still
> poison a DNS cache. The downstream validating resolver will detect it
> and send back SERVFAIL to the end user. But this end user won't be
> able to connect to his/her bank.

You don't need Kaminsky- or Shulman-described attacks to 'poison' a cache, you just need to create an acceptable response message.  There are other ways to do that.

> So, DNSSEC turned the poisoning attack from a hijacking attack to a
> DoS.

The above has a few non-sequiters.  First, yes, the cache poisoning is prevented, after it is detected.  What you are complaining though is that this means the end user is blocked from reaching the desired service - as a result of the poisoning being thwarted.

The comparison you should be making is not between "user gets to service versus user is blocked by DNSSEC from accessing service" but rather "user is misdirected to malicious harbor versus user is blocked from accessing the malicious server."  Yes, the latter is lose-lose because we are assuming this choice is being made during the duress of an attack.

It's not DNSSEC's fault that the user can't get through, it' the attack's fault.  DNSSEC's job is first to protect the cache from having falsified data, not to protect the user.  The result is to keep users from the bad sites they would have accessed if the cache were poisoned.

Note - DNSSEC does not address 'correctness' - which is at the heart of many problems today.  If the provisioning interface security is subverted, incorrect data can get into the DNS, be armored by DNSSEC and result in caches holding incorrect data.  DNSSEC's role is only to make this event more transparent - that the fault lay "upstream" - DNSSEC is not in any way going to defend against this class of failure.

> Now, the question is: "for an attacker, is it the simplest way to do a
> DoS?" IMHO, no, so I'm not too worried about it and I still believe in

DoS and DDoS are not the only forms of attack seen in the wild. (D)Dos is usually not the goal but the means to an end, such as a political statement.

What has gone wrong in our plan to save the Internet(TM) is that DNSSEC's armor against cache poisoning has being used as malicious payload in DDoS attacks via reflections.  But because the 'baddies" are after more than DDoS, we can't just drop DNSSEC and be better off.  (Cur reference to talks at CENTR, DNS-OARC ... yadda, yadda, yadda...for further elaboration.)

Edward Lewis             
NeuStar                    You can leave a voice message at +1-571-434-5468

There are no answers - just tradeoffs, decisions, and responses.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130906/09ef62b2/attachment.html>

More information about the dns-operations mailing list