I was looking for a way to calculate the probability of success of the cache poisoning attack against a DNS server implementing source port randomization. This paper describes the methodology. There are a few questions I don't have an answer for yet.
1. When I try to reproduce their results (Table 1) I get (slightly) different outcome. I wonder why. My source code is here.
65536 | 4 | 10427 | 0.500000
65536 | 200 | 227 | 0.500000
4294967296 | 4 | 683344693 | 0.500000
8589934592 | 200 | 29718916 | 0.500000
8589934592 | 2 | 429508 | 0.000100
8589934592 | 4 | 214757 | 0.000100
2. How many outstanding requests real DNS servers allow? In practice I saw up 2-4 retransmissions done with different source port and QID (Bind 8.4.7).
3. What is the practical limit on the number of bogus packets the attacker can possibly deliver to the victim DNS cache? If one can DoS the name server authoritative for the target zone, they will have some 10s (until the query times out) to feed the victim. Does this mean some 500'000 packets can be potentially delivered, assuming attacker can emit 50Kpps?
4. The paper I have mentioned above talks about 50% success rate. But is it really necessary? The trick discovered by Kaminsky lets the attack be repeated indefinitely, so in theory much lower success rate might be acceptable. Consider attack success rate as low as 0.01%. If we do 8'640 rounds (24 hours, 10s per round): the probability of success is 42% (probability of single failure is 99.99%, probability of all 8'640 failures: 0.9999^8640 = .578). It's not clear how feasible is it to get those 0.01% in practice.
