DNS cache poisoning -- residual risk

I was looking for a way to calculate the probability of success of the cache poisoning attack against a DNS server implementing source port randomization. This paper describes the methodology. There are a few questions I don't have an answer for yet.

1. When I try to reproduce their results (Table 1) I get (slightly) different outcome. I wonder why. My source code is here.
65536 | 4 | 10427 | 0.500000
65536 | 200 | 227 | 0.500000
4294967296 | 4 | 683344693 | 0.500000
8589934592 | 200 | 29718916 | 0.500000
8589934592 | 2 | 429508 | 0.000100
8589934592 | 4 | 214757 | 0.000100

2. How many outstanding requests real DNS servers allow? In practice I saw up 2-4 retransmissions done with different source port and QID (Bind 8.4.7).

3. What is the practical limit on the number of bogus packets the attacker can possibly deliver to the victim DNS cache? If one can DoS the name server authoritative for the target zone, they will have some 10s (until the query times out) to feed the victim. Does this mean some 500'000 packets can be potentially delivered, assuming attacker can emit 50Kpps?

4. The paper I have mentioned above talks about 50% success rate. But is it really necessary? The trick discovered by Kaminsky lets the attack be repeated indefinitely, so in theory much lower success rate might be acceptable. Consider attack success rate as low as 0.01%. If we do 8'640 rounds (24 hours, 10s per round): the probability of success is 42% (probability of single failure is 99.99%, probability of all 8'640 failures: 0.9999^8640 = .578). It's not clear how feasible is it to get those 0.01% in practice.

Comments

A friend has sent me a link to an exploit http://www.exploit-db.com/exploits/6236/. According to the author the exploit is capable of cache poisoning DNS server featuring source port randomization, if the attacker is has GigEthernet connection to it. I wonder how strong this GigEthernet requirement is and what can be done with mere 50Kpps, which corresponds to some 50Mbps if we talk about DNS responses.

IPS in front of your authoritative DNS server may increase attack window. An attacker could try to come up with a request which passes throught the caching server, gets forwarded to the authoritative one, but never makes it because IPS considers it harmful.

This trick is mentioned in Kaminsky's BlackHat Japan 2008 presentation.