1. DNS/毒盛/fragmentation
[Submitted on 17 May 2012] Fragmentation Considered Poisonous Amir Herzberg, Haya Shulman
https://arxiv.org/abs/1205.4011
1.1. 2021-12
https://www.isc.org/docs/2021-webinar-dns-fragmentation.pdf
Fragmentation Considered Poisonous, or: One-Domain-to-Rule-Them-All.ORG
Amir Herzberg and Haya Shulman Department of Computer Science Bar Ilan University Ramat Gan, 52900, Israel Email: {amir.herzberg, haya.shulman}@gmail.com
Abstract—We present effective off-path DNS cache poisoning attacks, circumventing widely-deployed challenge-response de- fenses, e.g., transaction identifier randomisation, port randomi- sation and query randomisation (0x20).
Our attacks depend on the use of UDP to retrieve long DNS responses, resulting in IP fragmentation. We show how attackers are often able to general such fragmented responses, and then abuse them to inject fake, ‘poisonous‘ records, into legitimate DNS responses.
We also studied how resolvers, name servers, domains and registrars, can defend against our attacks. The best defense is deployment and enforcement of DNSSEC validation. However, DNSSEC must be deployed correctly by both domain and resolver, which is challenging; we hope our results will catalyse this process, but it will surely take long time. In fact, recent study found less than 1% of resolvers reject responses upon DNSSEC validation failures. Note also that, ironically, adoption of DNSSEC by a domain, is the main reason for fragmented DNS responses (abused in our attacks). We therefore present several short-term defenses, which can complement DNSSEC - esp. until DNSSEC deployment is complete.
Our attack techniques may also be applicable for denial-of- service attacks, esp. against DNS servers using TCP. We validated our attacks against popular resolvers (Bind and Unbound), and real DNS name servers on the Internet. Keywords: DNS, DNS cache poisoning, fragmentation.
https://lists.dns-oarc.net/pipermail/dns-operations/2013-September/010679.html
[dns-operations] DNS Attack over UDP fragmentation Haya Shulman haya.shulman at gmail.com Fri Sep 6 01:02:59 UTC 2013
Please notice that I am not urging anyone to patch and I do not promote any company, and do not have the required time to visit vendors around the globe and demonstrate the attack.
We disclosed the work to raise awareness to the vulnerability, and the paper is available. I think you _should_ patch and not wait till the exploit is out there.
I do not plan to release a PoC, but I will be happy to discuss questions and challenges pertaining to the implementation/evaluation. The results reported in the paper are based on evaluation of attacks against responses from real name servers, and (up-to-date) Bind and Unbound resolvers that I ran in a lab.
We work on some measurements that should clarify the severity and
applicability of the attack. However, the main problem is lack of time, and all these travels in tandem with hotels' networks do not speed it up. So unfortunately, it is taking me longer than we were hoping for.
https://lists.dns-oarc.net/pipermail/dns-operations/2013-October/010865.html [dns-operations] summary of recent vulnerabilities in DNS security.