Re: Rathole exit? Was: [dnsop] Doug's attack scenarios without SPF

Tue, 14 Nov 2006 11:03:19 -0800 


[I'll not be answering Doug directly. Mainly because if I start doing
 it, we'll continue forever as Doug would never stop (his arguments
 would still be same and not clear) and result is likely that most
 folks would locally blacklist both of us...]

On Tue, 14 Nov 2006, Andrew Sullivan wrote:


On Mon, Nov 13, 2006 at 10:15:07PM -0800, Douglas Otis wrote:


domain.  His issue only distracts from the SPF concern.  Any remedy to
resolve an NS chaining exploit raised by William, if there is an
exploit, is completely orthogonal to the problem raised by the SPF
script.


Well, maybe.  I'm not sure this conclusion follows from what you said,
actually, because it seems to me that the _kind_ of vulnerability
would be the same in any case.


I'd suggest is that people read Doug's draft but try to ignore all
the craft about SPF being all bad and Doug's solutions being answer
and just focus on DNS. What you'll find in the end is that he presents
exactly the same scenario as I described with NS where the DoS is due
to NXDOMAIN and amplification due to using long domain name. What you'll
also find is that there is no 10x10 but that for each extra MX to be resolved you actually need to send requests to attacker's server.
Also the attack has little to do with size of SPF record (or that some think its near turing-complete; if it were the attack issue would be how to cause somebody long processing & loops), its primarily using large domain itself as an amplification due to the same domain having 
to be present in QUERY and NXDOMAIN answer.
This is what I took Olaf Kolkman to mean when he said that this is an architectural issue (I'm sure he'll correct me if I misunderstood). 

This issue that is present in DNS and has been from the start, its both
an issue for resolver and for applications that use certain records.
I'm not entirely sure how it should be addressed (if at all - this
all is purely theoretical right now) - in general or at applications
that use their specialized records.

--
William Leibzon
Elan Networks
[EMAIL PROTECTED]
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html

Reply via email to