Hi, > Just a short update from our today meeting over PoC implementation.
I think that the PoC for "Shulman-attack" is still effective even after applying DNSSEC. It's still DoS'able, different to the port randomization against Kaminsky's. -- Orange From: Ondřej Surý <ondrej.s...@nic.cz> Date: Thu, 5 Sep 2013 13:56:23 +0200 > Just a short update from our today meeting over PoC implementation. > > We have discussed this further and came to conclusion that the Kaminsky-attack > on top of Shulman-attack is just limited to heavily populated zones (TLDs) > or wildcard domains, since you need a positive response (since you cannot > rewrite > RCODE in the packet). > > O. > > On 4. 9. 2013, at 15:08, Ondřej Surý <ondrej.s...@nic.cz> wrote: > > > Hi all, > > > > for all those who haven't been on saag WG at IETF 88... > > > > Amir Herzbert and Haya Shulman has presented a quite interesting attack on > > UDP fragmentation that allows Kaminsky-style attacks to be real again. > > > > The saag presentation is here: > > http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf > > > > The paper describing the attack is here: > > http://arxiv.org/pdf/1205.4011v1.pdf > > > > More Haya Shulman's publications can be found here: > > https://sites.google.com/site/hayashulman/publications > > > > And some papers are also available from Google Scholar: > > http://scholar.google.com/scholar?hl=en&q=Amir+Herzberg%2C+Haya+Shulman+++dnssec&btnG=&as_sdt=1%2C5&as_sdtp= > > > > We gave it some thoughts here at CZ.NIC Labs and we think that the threat > > is real and we are now trying to write a PoC code to prove the theoretical > > concept. > > > > So what are the views of other people on this list? > > > > Ondrej > > -- > > Ondřej Surý -- Chief Science Officer > > ------------------------------------------- > > CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC > > Americka 23, 120 00 Praha 2, Czech Republic > > mailto:ondrej.s...@nic.cz http://nic.cz/ > > tel:+420.222745110 fax:+420.222745112 > > ------------------------------------------- > > > > _______________________________________________ > > dns-operations mailing list > > dns-operations@lists.dns-oarc.net > > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > dns-jobs mailing list > > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > > -- > Ondřej Surý -- Chief Science Officer > ------------------------------------------- > CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC > Americka 23, 120 00 Praha 2, Czech Republic > mailto:ondrej.s...@nic.cz http://nic.cz/ > tel:+420.222745110 fax:+420.222745112 > ------------------------------------------- > _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
