9-10 May 2015
Okura Hotel
Europe/Amsterdam timezone
Home > Timetable > Contribution details

Contribution

Okura Hotel - Heian I/II
Public Workshop

The iDNS attack (resolver loop)

Speakers

  • Mr. Florian MAURY

Primary authors

Abstract content

ANSSI identified that several popular DNS resolver implementations could be led into following a large number of delegations. By doing so, these resolvers could inflict a denial of service either of the resolver itself by excessive resource consumption or its hosting network by flooding it with packets.

Vulnerable implementations can also be enticed into sending to a victim ten times the number of packets sent by the attacker to the resolver, thus performing a distributed denial of service attack with packet amplification.

This presentation covers the exploitation methodology for both kind of attacks, and presents ANSSI's disclosure plan, the mitigation strategies implemented by the various vendors and some workarounds when denial of service is caused by an overwhelmed Linux-based firewall.

Summary

This presentation covers the exploitation methodology for both the DoS and the DDoS aspects of the iDNS vulnerability, and presents ANSSI's disclosure plan, the mitigation strategies implemented by the various vendors and some workarounds when denial of service is caused by an overwhelmed Linux-based firewall.