DNS attacks evolve
jbates at brightok.net
Mon Aug 11 10:46:27 CDT 2008
Leo Bicknell wrote:
> If your vendor told you that you are not at risk they are wrong,
> and need to go re-read the Kaminski paper. EVERYONE is vunerable,
> the only question is if the attack takes 1 second, 1 minute, 1 hour
> or 1 day. While possibly interesting for short term problem
> management none of those are long term fixes. I'm not sure your
> customers care when .COM is poisoned if it took the attacker 1
> second or 1 day.
EVERYONE with a CACHE MIGHT be vulnerable. Have studies been done to determine
if existing cached records will be overwritten on ALL caching resolvers?
Poisoning has always and will always be possible until DNSSEC, but the question
isn't if you can poison a few off the wall records, but if you can poison the
resolver in any meaningful way. If the cache isn't passively overwritten, then
the only records you could poison would be records that aren't cached.
The operational impact would be a much smaller scope. .COM will be cached
constantly and to poison it, the attacker would have to forge the packet in the
small window of cache expiry to renewal.
This can be mitigated even more if sites give out auth on negative responses,
which means for that specific domain, the attacker gets 1 shot to spoof and then
the auth info is cached. Obviously there is a downside to sending larger
packets, but that is a decision for the domain holder.
I'll be happy to add DNSSEC to my operational list as soon as it's actually
useful (other people can argue over who signs what).
More information about the NANOG