Publikationen
Poster: Patching NSEC3-Encloser: The Good, the Bad, and the Ugly
| Autor | Jacobsen, Oliver; Schulmann, Haya |
|---|---|
| Datum | 2024 |
| Art | Conference Proceedings |
| Abstrakt | This paper evaluates the effectiveness of patches designed to mitigate the NSEC3-encloser attack in DNS resolvers. NSEC3, used in DNSSEC to authenticate non-existence of records, can be exploited to exhaust resolver resources through excessive SHA-1 hashing. Despite recent patches, our study reveals that major DNS resolvers remain vulnerable. We test the NSEC3 exhaustion attacks against pre- and post-patch versions of popular DNS resolvers (Unbound, BIND9, PowerDNS, and Knot Resolver), and observe a 72-fold increase in CPU instructions during attacks. PowerDNS 5.0.5 and Knot Resolver 5.7.3 showed improvements, limiting CPU load with strict hash limits. Conversely, BIND9 exhibited marginal improvement, and Unbound 1.20.0 experienced increased CPU load. At an attack rate of 150 malicious NSEC3 records per second, benign DNS request loss rates ranged from 2.7\% to 30\%. Our study indicates the need for robust countermeasures to address NSEC3 vulnerabilities. |
| ISBN | 9798400706363 |
| In | Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, p.4937-4939 |
| Publisher | Association for Computing Machinery |
| Schlüssel | jacobsen2024patching |
Aus- und Weiterbildung
Informieren Sie sich über die Aus- und Weiterbildungsangebote der in ATHENE mitwirkenden Institutionen