[dns-operations] DNS Attack over UDP fragmentation
Ondřej Surý
ondrej.sury at nic.cz
Wed Sep 4 14:40:28 UTC 2013
On 4. 9. 2013, at 16:33, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Wed, Sep 04, 2013 at 04:04:13PM +0200,
> Ondřej Surý <ondrej.sury at nic.cz> wrote
> a message of 93 lines which said:
>
>>> Isn't is a good idea to limit the maximum size of the response,
>>> like .com/.net (and may be other TLD: examples welcome) do? This
>>> will make the attack more difficult.
>>
>> That could work, but what EDNS0 buffer size to pick?
>
> .com/.net does it apparently around 1400 bytes, which certainly covers
> the vast majority of Internet paths.
But they have 1400 with fragmentation allowed, right? That doesn't really answer the question, does it?
>> And how to push this to end users?
>
> Why? They don't need it (otherwise, .com would not work and we would
> have noticed :-)
Err, I ment DNS server operators (I guess I was writing it with my DNS vendor hat on).
>> We are currently looking at our DNS data for fragments (and their
>> sizes), so it might give us some hints.
>
> Check also ICMP "packet too big" coming in with ridiculous sizes, they
> might be the sign that someone is trying the Shulman attack.
True, but again, that might work for us, but not for average DNS operator.
O.
--
Ondřej Surý -- Chief Science Officer
-------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Americka 23, 120 00 Praha 2, Czech Republic
mailto:ondrej.sury at nic.cz http://nic.cz/
tel:+420.222745110 fax:+420.222745112
-------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130904/352b92e1/attachment.sig>
More information about the dns-operations
mailing list