[dns-operations] Evaluation of NSEC3-encloser attack

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Mar 25 18:57:09 UTC 2024

On Mon, Mar 25, 2024 at 09:27:06AM +0100, Haya Shulman wrote:

> Our evaluations demonstrate that the two attack vectors are fundamentally
> different from the perspective of their practical impact: KeyTrap
> introduces a realistic immediate threat for exploitation by hackers. In
> contrast, with NSEC3-encloser attack a comparable load on resolvers is not
> possible, not only that with a single NSEC3-encloser attack no packet is
> lost, but also no latency is introduced to the resolvers. The high volume
> of NSEC3-encloser attack traffic, of more than hundreds of packets per
> second, makes the NSEC3-encloser attack visible. Therefore, the high attack
> volume in tandem with the meager benefit for adversaries (only a small
> fraction of benign packets dropped) implies that such attacks do not pose a
> practical threat.

Reading the paper, I get an impression that the described attack isn't
nearly as stressful on the resolver CPU as it could be.  If I understood
the measured attack correctly, a more "malicious" approach could
substantially (~100x) increase the per-query-response CPU cost.  Perhaps
qualitatively changing the relative impact assessment?

I do hope that, as a community, we'll continue to steadily streamline
acceptable NSEC3 parameters (per RFC9276) down to 0 additional
iterations and short enough salt values (that don't result in additional
SHA-1 input blocks).


More information about the dns-operations mailing list