1. DNS/FCP/論文の構成

/1_Introduction   /2   /2018   /3   /4   /4.1   /4.1.1   /4.1.2   /4.2   /4.3   /5   /BIND   /Brandt_abstract   /IPv4   /JPRS   /Let's_Encrypt   /Path_MTU_Discovery   /Subdomain_Injection   /UDPpayload   /abstract   /edns_size   /haya   /haya-abstract   /ifconfig   /kresd   /mueller   /net.inet.ip.random_id   /nic.cz   /root-dnskey   /フラグメント処理   /対策   /構成の説明   /考察  

Contents

  1. DNS/FCP/論文の構成
  2. Contributions

Introduction の最後の部分です。-- ToshinoriMaeno 2018-11-07 22:04:25

We summarise all our attacks, with their requirements,in Table 1.

The requirements are explained in Section 2; for now, it suffices to mention that they all reflect com- mon situations in the current DNS, many of which are not expected to change, even if DNSSEC is fully, universally and correctly deployed.

The main exception is attacks which require partial or incorrect DNSSEC deployment; however, not only is this requirement currently often satisfied, but it is also required only for the ‘domain hijacking’ attack.

In fact, ironically, the use of DNSSEC is often what provides necessary requirements for our attacks to work. Specifically, all of our attacks require ‘Fragmentable zone’, implying fragmented DNS responses; and three of the attacks require ‘Poisonable zone’,

More details on the requirements are presented within. 

DNSSEC requires long resource records (RRs) which results  in  long  DNS  responses.

Long  DNS  responses (i.e., above 512 byte) require support of the EDNS extension mechanism, [35],
and often fragmented when sent over UDP, since their size exceeds the path MTU.

It is exactly this fragmentation that facilitates our attacks; e.g.,
we show that off-path attackers can often replace the sec ond fragment of a packet,
resulting in a seemingly-valid, yet fake, DNS response, or ‘merely’ causing corruption of the DNS response.

Fragmentation is known to be problematic or ‘harmful’, mainly due to the negative impact on performance;

see  the  seminal  paper  of  Kent  and  Mogul  [23].
As  a result, fragmentation is usually avoided, e.g.,
by use of path  MTU  discovery  [28, 29],  mainly  for  connection-based transport protocol (TCP).

However, DNS traffic is usually  sent  over  UDP;  while  several  significant  name servers,
e.g., com, edu, send long responses over TCP, this may not be a good long-term solution,
since the use of TCP results in significant overhead.

2. Contributions

Incremental DNSSEC Deployment is Vulnerable

Subdomain Injection

Unsigned Delegation

We suggest attacks exploiting unsigned   NS   and   A   delegation   records,
breaching   privacy   and   anonymity,   and   inflicting   denial/degradation of service.

Name Server (NS) Blocking

We  introduce  the  name server blocking technique, which allows an attacker
to force the resolver to stop using a particular name
server, and eventually, to query a name server of attacker’s choice,
e.g.,  a compromised name server, when resolvers strictly follow RFC 4697 [25]