DNS/FCP/abstractについて、ここに記述してください。

/1_Introduction   /2   /2018   /3   /4   /4.1   /4.1.1   /4.1.2   /4.2   /4.3   /5   /BIND   /Brandt_abstract   /IPv4   /JPRS   /Let's_Encrypt   /Path_MTU_Discovery   /Subdomain_Injection   /UDPpayload   /abstract   /edns_size   /haya   /haya-abstract   /ifconfig   /kresd   /mueller   /net.inet.ip.random_id   /nic.cz   /root-dnskey   /フラグメント処理   /対策   /構成の説明   /考察  

Fragmentation Considered Poisonous

Amir Herzberg† and Haya Shulman‡

Dept. of Computer Science, Bar Ilan University

1. Abstract

We present practical poisoning and name-server blocking attacks on standard DNS resolvers, by off-path, spoofing adversaries. Our attacks exploit large DNS responses that cause IP fragmentation; such long responses are increasingly common, mainly due to the use of DNSSEC.

In common scenarios, where DNSSEC is partially or incorrectly deployed, our poisoning attacks allow ‘complete’ domain hijacking.

When DNSSEC is fully deployed, attacker can force use of fake name server; we show exploits of this allowing off-path traffic analysis and covert channel.

When using NSEC3 opt-out, attacker can also create fake subdomains, circumventing same origin restrictions. Our attacks circumvent resolver-side defenses, e.g., port randomisation, IP ran- domisation and query randomisation.

The (new) name server (NS) blocking attacks force resolver to use specific name server. This attack allows Degradation of Service, traffic-analysis and covert channel, and also facilitates DNS poisoning.

We validated the attacks using standard resolver software and standard DNS name servers and zones, e.g., org.