Re: [ga] On Its Way: One of the Biggest Changes to the Internet

[Peter Dambier <peter@xxxxxxxxxxxxxxxx>]

Hi Ted,

leaving a load of explosives and a box full of matches in a kindergarden
has nothing to do with terrorism - although some adults might feel these
children must have been terrorists in the first place, making all that
noise.

Poorly designed DNS is like leaving a load of explosives in your
garden and waiting for somebody to come along with a torch.

You dont need poorly configured applications to DoS. You dont need
open resolvers either. Just look for big long dnsec records...

e.g. in the signed root.

The good side is - very likely you have to resort to ip because edns
is broken and the packets are too long. Address spoofing works with
udp mostly, so I dont think this will raise DoS.

But it will show that many DNS applications and many firewalls are
broken because they want udp only

Kind regards
Peter and Karin


Prophet Partners Inc. wrote:
> Hi Karl,
>
> With the potential problems from long IDN names, could poorly configured 
> DNS applications possibly create situations of DNS instability? Could 
> criminal or terrorist organizations launch DoS attacks in this manner?
> Sincerely,
> Ted
> Prophet Partners Inc.
> http://www.ProphetPartners.com
> http://www.Premium-Domain-Names.com
>
>
> ----- Original Message ----- From: "Karl Auerbach" <karl@xxxxxxxxxxxx>
> To: "Ram Mohan" <rmohan@xxxxxxxxxxxx>
> Cc: <ga@xxxxxxxxxxxxxx>
> Sent: Thursday, October 11, 2007 9:40 PM
> Subject: Re: [ga] On Its Way: One of the Biggest Changes to the Internet
>
>
> > Ram Mohan wrote:
> >
> > > Numerous other usability issues exist, including some interesting 
> > > ones such as searchability of IDN names and IDN TLDs.
> >
> > It's been a while since I last scanned SIP VoIP implementations for 
> > DNS vulnerabilities.
> > But when I last did it, I found that a lot of VoIP phones had weak DNS 
> > resolving engines that could be easily confused/killed by long names 
> > (and IDN names can get long) and long or strange CNAMEs.
> > (It is amazing the devices than can be sent into the weeds by giving 
> > 'em a SIP or HTTP URI/URL that contains a domain name that gets mapped 
> > via a CNAME into something that is either very long or contains the 
> > full variety of 8-bit characters without honoring the "hostname" 
> > character set constraint.)
> > Again, as you say, at the DNS layer, it's all just ASCII labels.  And 
> > the problems I saw weren't IDN problems, just weak DNS implementations.
> > --karl-- 

--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter@xxxxxxxxxxxxxxxx
mail: peter@xxxxxxxxxxxx.pirates
http://www.cesidianroot.com/
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/