[nsp-sec] Packets to watch for, or: DNS and IP fragmentation
Florian Weimer
fweimer at bfk.de
Tue Jun 2 08:41:15 EDT 2009
* Florian Weimer:
> ----------- nsp-security Confidential --------
>
> Here a few packets you should watch for:
>
> ICMP type 3, code 4 messages to TLD DNS servers (and possibly to the
> root, too), with a length of the embedded IP packet below 600 bytes
>
> UDP packets from source port 53, with a MF=1 flag, fragment offset 0
> (otherwise you can't tell the source port 8-), IP packet length
> below 600 bytes (that is, the length of the first fragment; UDP
> packet length is less relevant)
>
> (False positive rates may be significant; the heuristics have been
> tweaked not to trigger for ordinary EDNS0 traffic.)
FYI, this is now more or less public, thanks to a thread on the IETF's
DNSEXT working group mailing list:
<http://thread.gmane.org/gmane.ietf.dnsext/14206>
I still don't know if this is exploitable in the real world, with real
authoriative servers and resolvers (lab attacks have been
constructed).
Note that the thread is incorrect with regard to the .SE servers, they
use different sequences of IP IDs for different target servers, so
they are not as trivial to attack as it might seem.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the nsp-security
mailing list