<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [ga] On Its Way: One of the Biggest Changes to the Internet
- To: ga@xxxxxxxxxxxxxx
- Subject: Re: [ga] On Its Way: One of the Biggest Changes to the Internet
- From: Peter Dambier <peter@xxxxxxxxxxxxxxxx>
- Date: Fri, 12 Oct 2007 12:35:33 +0200
Hi Ted,
leaving a load of explosives and a box full of matches in a kindergarden
has nothing to do with terrorism - although some adults might feel these
children must have been terrorists in the first place, making all that
noise.
Poorly designed DNS is like leaving a load of explosives in your
garden and waiting for somebody to come along with a torch.
You dont need poorly configured applications to DoS. You dont need
open resolvers either. Just look for big long dnsec records...
e.g. in the signed root.
The good side is - very likely you have to resort to ip because edns
is broken and the packets are too long. Address spoofing works with
udp mostly, so I dont think this will raise DoS.
But it will show that many DNS applications and many firewalls are
broken because they want udp only
Kind regards
Peter and Karin
Prophet Partners Inc. wrote:
Hi Karl,
With the potential problems from long IDN names, could poorly configured
DNS applications possibly create situations of DNS instability? Could
criminal or terrorist organizations launch DoS attacks in this manner?
Sincerely,
Ted
Prophet Partners Inc.
http://www.ProphetPartners.com
http://www.Premium-Domain-Names.com
----- Original Message ----- From: "Karl Auerbach" <karl@xxxxxxxxxxxx>
To: "Ram Mohan" <rmohan@xxxxxxxxxxxx>
Cc: <ga@xxxxxxxxxxxxxx>
Sent: Thursday, October 11, 2007 9:40 PM
Subject: Re: [ga] On Its Way: One of the Biggest Changes to the Internet
Ram Mohan wrote:
Numerous other usability issues exist, including some interesting
ones such as searchability of IDN names and IDN TLDs.
It's been a while since I last scanned SIP VoIP implementations for
DNS vulnerabilities.
But when I last did it, I found that a lot of VoIP phones had weak DNS
resolving engines that could be easily confused/killed by long names
(and IDN names can get long) and long or strange CNAMEs.
(It is amazing the devices than can be sent into the weeds by giving
'em a SIP or HTTP URI/URL that contains a domain name that gets mapped
via a CNAME into something that is either very long or contains the
full variety of 8-bit characters without honoring the "hostname"
character set constraint.)
Again, as you say, at the DNS layer, it's all just ASCII labels. And
the problems I saw weren't IDN problems, just weak DNS implementations.
--karl--
--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter@xxxxxxxxxxxxxxxx
mail: peter@xxxxxxxxxxxx.pirates
http://www.cesidianroot.com/
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|