On Mon, May 09, 2016 at 11:01:30AM -0700, 神明達哉 <[email protected]> wrote a message of 49 lines which said:
> This is true, but I suspect it would be pretty easy for this type > of attacker to circumvent the effect if and when the nxdomain-cut > behavior is more widely deployed. An attacker for the '.wf' zone > would simply send random junk query <random>.wf instead of > <random>.dafa888.wf. So I think the mitigation effect in this > sense is quite limited. Speaking of that, I have a philosophical question. Attackers in the real world (not in labs or in security conferences, where researchers try to impress their peers with clever hacks) are often unsophisticated. All the random qnames attacks I've seen (last one was reported on the Unbound users mailing list a few days ago under the title "Ratelimit misbehavior") use a 3-labels name. This is indeed stupid: even without "NXDOMAIN cut", it makes identification and classification of the offending packets very simple (via Netfilter with u32, for instance). Why do they continue to do so? _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
