Speaker
Mr
Florian Maury
(ANSSI/FNISA)
Description
ANSSI identified that several popular DNS resolver implementations could
be led into following a large number of delegations. By doing so, these
resolvers could inflict a denial of service either of the resolver
itself by excessive resource consumption or its hosting network by
flooding it with packets.
Vulnerable implementations can also be enticed into sending to a victim
ten times the number of packets sent by the attacker to the resolver,
thus performing a distributed denial of service attack with packet
amplification.
This presentation covers the exploitation methodology for both kind of
attacks, and presents ANSSI's disclosure plan, the mitigation strategies
implemented by the various vendors and some workarounds when denial of
service is caused by an overwhelmed Linux-based firewall.
Summary
This presentation covers the exploitation methodology for both the DoS and the DDoS aspects of the iDNS vulnerability, and presents ANSSI's disclosure plan, the mitigation strategies implemented by the various vendors and some workarounds when denial of service is caused by an overwhelmed Linux-based firewall.
Primary author
Mr
Florian Maury
(ANSSI/FNISA)
