Just a quick note to let folks know about a new vulnerability we have found in some low-rent DNS forwarders---which we have been calling the 'preplay attack'. The finding is that when the vulnerable open resolvers receive a DNS response they just look at the query string in the response to see if they have a request for the given string outstanding. If they do, they accept the result. I.e., there is no validating of the source IP, port numbers or DNS transaction ID in the response. Dumb. This makes poisoning the caches of these boxes trivial (i.e., send a request for www.facebook.com and then immediately send an answer). A few notes ... - We have found 7--9% of the open resolver population---or 2-3 million boxes---to be vulnerable to this cache poisoning attack. (The variance is from different runs of our experiments.) - We have not been able to nail this vulnerability down to a single box or manufacturer. To the contrary our efforts at identifying the boxes indicates it crosses such boundaries. (However, these boxes do seem to be largely situated in residential settings.) - We presented these results at PAM earlier this week. Our paper, slides, etc. with details of the attack (and results about previously known DNS attacks) are available here: http://www.icir.org/mallman/pubs/SCRA14/ - We did give CERT a heads up about this before the paper appeared and they kibitzed the information around to various manufacturers of this sort of gear. My mental model is that this sort of gear is upgraded when it goes kaput. So, vigilance I guess. FWIW. allman -- http://www.icir.org/mallman/