DNS Cookies draft-eastlake-dnsext-cookies-00.txt - PowerPoint PPT Presentation

About This Presentation
Title:

DNS Cookies draft-eastlake-dnsext-cookies-00.txt

Description:

Forged source IP address traffic amplification DOS attacks. ... Caches new Server Cookie and retries query if it gets a Bad Cookie error with a ... – PowerPoint PPT presentation

Number of Views:106
Avg rating:3.0/5.0
Slides: 9
Provided by: Dona49
Learn more at: https://www.ietf.org
Category:
Tags: dns | cookies | dnsext | dos | draft | eastlake | setup | txt

less

Transcript and Presenter's Notes

Title: DNS Cookies draft-eastlake-dnsext-cookies-00.txt


1
DNS Cookiesdraft-eastlake-dnsext-cookies-00.txt
  • Donald E. Eastlake 3rd
  • Donald.Eastlake_at_motorola.com
  • 1-508-786-7554

2
DNS Cookies
  • Provides weak authentication of queries and
    responses. Can be viewed as a weak version of
    TSIG.
  • No protection against on-path attackers, that
    is, no protection against anyone who can see the
    plain text queries and responses.
  • Requires no set-up or configuration.

3
DNS Cookies (cont.)
  • Intended to greatly reduce
  • Forged source IP address traffic amplification
    DOS attacks.
  • Forged source IP address recursive server work
    load DOS attacks.
  • Forged source IP address reply cache poisoning
    attacks.

4
The COOKIE RR
  • A Meta-RR in the Additional Information Section.
  • RDATA

Resolver Cookie, 64 bits
Server Cookie, 64 bits
Error Code
5
Resolver Warm Fuzzies
  • If DNS Cookies Enforced
  • Resolver puts a COOKIE RR in queries with
  • A Resolver Cookie that varies with server
  • Truncated HMAC(server-IP-address, resolver
    secret)
  • The resolver cached Server Cookie for that Cookie
    if it has one
  • Resolver ignores all replies that do not have the
    correct Resolver Cookie
  • Caches new Server Cookie and retries query if it
    gets a Bad Cookie error with a correct Resolver
    Cookie

6
Simplified Server Warm Fuzzies
  • If DNS Cookies Enforced
  • Server puts a COOKIE RR in replies with
  • A Server Cookie that varies with resolver
  • Truncated HMAC(resolver-IP-address, server
    secret)
  • The Resolver Cookie if there was one in the
    corresponding query
  • If query received with bad or no Server Cookie,
    send back short error message

7
Example
Resolver
Server
Query RC123, SC???,E0
ErrReply RC123, SC789, EBadC
SC789
Query RC123, SC789,E0
AnsReply RC123, SC789,E0
ForgedQuery RC???, SC???,E0
ErrReply RC???, SC789, EBadC
ForgedReply RC???, SC???,E0
8
Complexities
  • Bad guy Resolver behind a NAT
  • Can get Server Cookie and attack other resolvers
    behind the NAT
  • Solution Mix Resolver Cookie into Server Cookie
    hash so multiple resolvers that appear to be at
    the same IP address are distinguished
  • Anycast Servers
  • Need to use the same server secret or assure that
    queries from the same resolver usually go to the
    same server
Write a Comment
User Comments (0)
About PowerShow.com