Poster: Fragmentation Attacks on DNS over TCP

The research and operational community believe that TCP provides protection against IP fragmentation based attacks and recommend that servers avoid sending responses over UDP and use TCP instead. In this work we show for the first time that IP fragmentation attacks may also apply to communication over TCP. We perform a study of the nameservers in the 100K-top Alexa domains and find that 454 domains are vulnerable to IP fragmentation attacks. Of these domains, we find 366 additional domains that are vulnerable only to IP fragmentation attacks on communication with TCP. We also find that the servers vulnerable to TCP fragmentation can be forced to fragment packets to much smaller sizes (of less than 292 bytes) than servers vulnerable to UDP fragmentation (not below 548 bytes). This makes the impact of the attacks against servers vulnerable to fragmentation of TCP segments much more detrimental. Our study not only shows that the recommendation to use TCP and avoid UDP is risky but it also shows that the attack surface due to fragmentation is larger than was previously believed. We evaluate known IP fragmentation-based DNS cache poisoning attacks against DNS responses over TCP.