DNS keyserver (was Re: gnupg-1.0.7: keyserver subdir?)

Simon Josefsson jas@extundo.com
Wed Jul 10 19:57:02 2002


Michael Graff <explorer@flame.org> writes:

> Simon Josefsson <jas@extundo.com> writes:
>
>> Is the packet size really the important factor?  I thought a good DDOS
>> attack used a protocol that generated several packets given only one.
>> Like broadcast ping.
>> 
>> Also, is it possible to spoof an EDNS.0 session?  I don't remember the
>> details, but it may include some kind of cookie, like TCP, which you
>> need to guess in order to continue.
>
> Well, a 64k UDP packet will be chopped up into more than 40 packets.

But to generate a 64kb UDP packet you need to have negotiated EDNS.0
with the other server.  Is it possible to spoof that negotiation?  I
don't know.  But this isn't endemic to this, IPv6 and DNSSEC is going
to generate bigger packages too, making it possible to exploit this in
the same way.  Hopefully EDNS.0 negotiations cannot be spoofed.

>> Or switch to TCP.
>
> If you're going to do that, why use DNS?

For all the other benefits -- caching, round-trip optimization, fail
over, easy way to sign packets, synergy with certificate revocation.