Florian Weimer <f...@deneb.enyo.de> writes: > Here's an attempt of a write-up of the maths involved, ready for pasting > into LaTeX. Hopefully, it's not too embarrassing for me. It's been a > while I did such stuff, probability theory wasn't my forte, and I have > no idea what to do to reduce the final quotient.
Thank you for the analysis! I understand much better now why the merging of duplicate queries provides additional hardening against the attack. > * Russ Allbery: >> Except that my understanding of the attack is that it requires issuing >> DNS lookups for a (*very*) large number of RRs that are not in the >> local cache. This is difficult to force a service to do. > Your MTA probably does DNS lookups with user-supplied domain names (for > EHLO and perhaps for MAIL FROM:, if you use things like SPF). Your > browser does as well, although there are some attempts at limiting > Javascript-driven parallel requests. Ah, I see. So you connect to the SMTP server and then stream EHLO commands at it, and probably open up several parallel connections to the server and do the same sequence on both to generate the duplicate queries? > The general problem with these attacks is that they are likely to take > out your local resolver, but that's a different issue. I think given the numbers involved proxying the DNS queries through a service is likely to result in a DoS attack on that service rather than a successful cache poisoning. But the impact of a successful cache poinsoning attack is much worse than that of a DoS, so I can see still being concerned about it. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
