One observation to make about this is that it's not that they are stupid,
but that they don't care about being clever.   They just care that it
works.   So probably somebody reasonably smart did the three-label attack
because the DNS geek in them was trying to be neat, even as the attack geek
in them was trying to be messy.

Make this stop working, and they will adjust quickly.


On Tue, May 10, 2016 at 9:04 AM, Stephane Bortzmeyer <bortzme...@nic.fr>
wrote:

> On Mon, May 09, 2016 at 11:01:30AM -0700,
>  神明達哉 <jin...@wide.ad.jp> wrote
>  a message of 49 lines which said:
>
> >   This is true, but I suspect it would be pretty easy for this type
> >   of attacker to circumvent the effect if and when the nxdomain-cut
> >   behavior is more widely deployed.  An attacker for the '.wf' zone
> >   would simply send random junk query <random>.wf instead of
> >   <random>.dafa888.wf.  So I think the mitigation effect in this
> >   sense is quite limited.
>
> Speaking of that, I have a philosophical question. Attackers in the
> real world (not in labs or in security conferences, where researchers
> try to impress their peers with clever hacks) are often
> unsophisticated. All the random qnames attacks I've seen (last one was
> reported on the Unbound users mailing list a few days ago under the
> title "Ratelimit misbehavior") use a 3-labels name. This is indeed
> stupid: even without "NXDOMAIN cut", it makes identification and
> classification of the offending packets very simple (via Netfilter
> with u32, for instance). Why do they continue to do so?
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to