[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNSSEC - Signature Only vs the MX/A issue.
- To: bert hubert <bert.hubert@netherlabs.nl>
- Subject: Re: DNSSEC - Signature Only vs the MX/A issue.
- From: Ralph Droms <rdroms@cisco.com>
- Date: Thu, 07 Dec 2006 17:20:52 -0500
- Authentication-results: rtp-dkim-2; header.From=rdroms@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
- Cc: Paul Vixie <paul@vix.com>, <namedroppers@ops.ietf.org>
- Delivery-date: Thu, 07 Dec 2006 22:23:09 +0000
- Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2809; t=1165530015; x=1166394015; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=rdroms@cisco.com; z=From:=20Ralph=20Droms=20<rdroms@cisco.com> |Subject:=20Re=3A=20DNSSEC=20-=20Signature=20Only=20vs=20the=20MX/A=20iss ue. |Sender:=20 |To:=20bert=20hubert=20<bert.hubert@netherlabs.nl>; bh=OJiG2TXVLVq9L9xdSSPoa1AKkVlrEz7Q7lU3+IrWP5s=; b=UdkjnSvwpExGFVOpjB29ykN/tTXGSMJtqW0m9ZnV9BhoJUjq5K8KL8v7fysFu4l+YAP8wQdL xPPFyRckOyo7psAA0zd22GbJsNOZNVjbnWpndLPWOlaXNw7buU7TtnS4;
- Envelope-to: namedroppers-data@psg.com
- Thread-index: AccaTfR9MzovWoZBEduPigARJOT6eg==
- Thread-topic: DNSSEC - Signature Only vs the MX/A issue.
- User-agent: Microsoft-Entourage/11.2.5.060620
Have these spoofing attacks been recorded somewhere that can be referenced,
e.g. US-CERT? Can you say more about how those attacks could have been
mitigated without DNSSEC? Have there been attacks that could only be
mitigated with DNSSEC?
Of course, a spoofing-phishing attack turns into a DoS attack if the host
discards the bogus DNS info but never gets the DNSSEC validated info.
- Ralph
On 12/3/06 9:53 AM, "bert hubert" <bert.hubert@netherlabs.nl> wrote:
> On Sun, Dec 03, 2006 at 08:10:57AM -0500, Ralph Droms wrote:
>
>> that can be mitigated by DNSSEC are not in the public consciousness like
>> spam or malware or phishing attacks. Do we have documented evidence of
>> specific successful attacks that can be mitigated by DNSSEC?
>
> Yes, there have been succesful spoofing attacks, whereby end-users end up on
> a different website from the one they thought they were visiting. These
> attacks could have been prevented without DNSSEC however, and any website
> that is truly important uses SSL, which would flag the misdirection (which
> would then be ignored).
>
> Such spoofing has actually happened a number of times, but hasn't really hit
> the news.
>
> It is also easy to do, to quote from
> http://www.ietf.org/internet-drafts/draft-hubert-dns-anti-spoofing-00.txt
>
> The calculations above indicate the relative ease with which DNS data can
> be spoofed. For example, using the formula derived earlier on a domain
> with a 3600 second TTL, an attacker sending 7000 fake answer packets/s (a
> rate of 4.5Mb/s), stands a 10% chance of spoofing a record in the first
> 24 hours, which rises to 50% after a week.
>
> For a domain with a TTL of 60 seconds, the 10% level is hit after 24
> minutes, 50% after less than 3 hours, 90% after around 9 hours.
>
> I've written some tools that perform this action, when you manage to
> saturate the bonafide authoritative servers, success is achieved within
> seconds. Partial saturation means somewhat longer time is needed. The
> calculations above are for the non-saturated case.
>
>> What is the direct, immediate RoI for the resources I have to commit to
>> providing DNSSEC resolution for names in my zone? My external contacts
>> ("customers") may benefit from mitigation of attacks, but that's an indirect
>> benefit.
>
> They might conceivably worry more over the (inherent) higher reliability
> problems of DNSSEC: there are far more failure modes. This is not DNSSECs
> fault, it is inherent in any protocol that gets encryption added to it.
>
> This is why I favor (immediate) ameliorization measures, as outlined in my
> draft, which are easy to implement.
>
> However, recapping, there IS a problem that needs to be solved.
>
> Bert
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>