Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Mitigating DNS fragmentation attacks
155 views
Skip to first unread message
js...@letsencrypt.org
Oct 15, 2018, 12:09:29 AM10/15/18
to mozilla-dev-s...@lists.mozilla.org
There’s a paper from 2013 outlining a fragmentation attack on DNS that allows an off-path attacker to poison certain DNS results using IP fragmentation[1]. I’ve been thinking about mitigation techniques and I’m interested in hearing what this group thinks.
I've started a thread over at the Let's Encrypt community forum. Please feel free to join in if you have thoughts! https://community.letsencrypt.org/t/mitigating-dns-fragmentation-attack/74838
[1]: https://u.cs.biu.ac.il/~herzbea/security/13-03-frag.pdf
I've started a thread over at the Let's Encrypt community forum. Please feel free to join in if you have thoughts! https://community.letsencrypt.org/t/mitigating-dns-fragmentation-attack/74838
[1]: https://u.cs.biu.ac.il/~herzbea/security/13-03-frag.pdf
Paul Wouters
Oct 15, 2018, 12:51:40 AM10/15/18
to js...@letsencrypt.org, mozilla-dev-s...@lists.mozilla.org
On Oct 14, 2018, at 21:09, jsha--- via dev-security-policy <dev-secur...@lists.mozilla.org> wrote:
>
> There’s a paper from 2013 outlining a fragmentation attack on DNS that allows an off-path attacker to poison certain DNS results using IP fragmentation[1]. I’ve been thinking about mitigation techniques and I’m interested in hearing what this group thinks.
>
The mitigation is dnssec. Ensure your data is cryptographically protected.
>
> There’s a paper from 2013 outlining a fragmentation attack on DNS that allows an off-path attacker to poison certain DNS results using IP fragmentation[1]. I’ve been thinking about mitigation techniques and I’m interested in hearing what this group thinks.
>
Paul
Tom Ritter
Oct 15, 2018, 10:02:19 AM10/15/18
to Paul Wouters, js...@letsencrypt.org, MozPol
comprehensive solution is also desirable.
-tom
0 new messages