On Fri, Mar 14, 2014 at 09:45:25AM -0400, Mark Allman wrote: > - We have found 7--9% of the open resolver population---or 2-3 million > boxes---to be vulnerable to this cache poisoning attack. (The > variance is from different runs of our experiments.)
I've noted that ~30% of the open recursives have diurnal properties (if not dhcp churn as well), and much of this comes from hosts running RomPager firmware (likely CPE devices or captive portals). So this fits your 7-9% number. Much of the open rec scanning efforts I observe do daily checks, and would therefore miss some portion of the population (perhaps the 30% upper limit I've noted). If you're still actively scanning we might compare notes, or I could provide you trace feeds from my ongoing dns speaker lists. The paper's very interesting and well done. I'm worried there's no feasible "notice/wait" period for vendor fixes, usually found in software vulnerabilities. It might be that commodity CPE issues are addressed only at the ISP network level, and I commend you to look at solutions in that space. Generally some 1-2% of ISP traffic is off-path DNS already, and your paper (plus the lack of an update path) suggests the need for network owner assistance in detecting poisoning. -- David Dagon da...@sudo.sh D970 6D9E E500 E877 B1E3 D3F8 5937 48DC 0FDC E717 _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
