[dns-operations] DNSbomb attack

[jabley at strandkip.nl]

On May 29, 2024, at 01:51, Geoff Huston <gih at apnic.net> wrote:

> I tried to point out to the folk on the keytrap bandwagon that the
> 
> exploit was documented first some years ago, but was completely drowned out
> by the hysterical fanfare of "we found a weakness in DNS behaviour! Aren't
> we clever!"
> 
> I appreciate that testing widely used software for vulnerabilities is valuable work,
> but turning the effort into some bizzarre circus sideshow does nobody any favours
> at all.

I suspect there's a practical consideration that if you don't make a big noise about it it's less likely that you get published (especially if you're competing with other papers that are making a big noise). So while I have had similar reactions to the marketing of some of these rather marginal vulnerabilities over the past few years, it seems possible that the noise is just the cost of academics being engaged. If we want academic research into the DNS and DNS-related stuff, we might need to pay the piper.

I think we do want the academic engagement, in general. Even the most overblown of these revelations has had some novel insight that has value, even if the overall impact in the real world is somewhat less than claimed. In the dnsbomb case it's exploiting the time that state is held in a resolver when waiting for an upstream response, which I think is interesting to think about on its own, together with the careful pulsing of responses to increase the cost of receiving them. While this is apparently not an immediate threat to BIND9 (or any other resolver that I have heard of) it's interesting to think about how a pulsing attack could be combined with other attacks.


Joe